- \n
- The initial attack vector is a phishing email with a Microsoft Word document attachment.<\/li>\n
- Upon opening the document, VBA executes a malicious shellcode<\/li>\n
- Shellcode downloads the remote payload, Ursnif, and invokes rundll32.exe to execute it.<\/li>\n<\/ul>\n
Infection Chain<\/em><\/h2>\n
The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe<\/p>\n
![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure1-flowchart-of-infection-chain.png\")
Figure 1- flowchart of infection chain<\/figcaption><\/figure>\n Word Analysis<\/em><\/h2>\n
Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling them.<\/p>\n
![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-2-Image-of-what-the-user-sees-upon-opening-the-document-1024x527.png\")
Figure 2- Image of what the user sees upon opening the document<\/figcaption><\/figure>\n VBA Macro Analysis of Word Document<\/h2>\n
Analyzing the sample statically with \u2018oleId\u2019 and \u2018olevba\u2019 indicates the suspicious vectors..<\/p>\n
![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-3-Oleid-output.png\")
Figure 3- Oleid output<\/figcaption><\/figure>\n ![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-4-Olevba-output.png\")
Figure 4- Olevba output<\/figcaption><\/figure>\n The VBA Macro is compatible with x32 and x64 architectures and is highly obfuscated as seen in Figure-5<\/p>\n
![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-5-Obfuscated-VBA-macro-1024x487.png\")
Figure 5- Obfuscated VBA macro<\/figcaption><\/figure>\n To get a better understanding of the functionality, we have de-obfuscated the contents in the 2 figures shown below.<\/p>\n
![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-6-De-obfuscated-VBA-macro-stage-1-1024x358.png\")
Figure 6- De-obfuscated VBA macro (stage 1)<\/figcaption><\/figure>\n ![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-7-De-obfuscated-VBA-macro-stage-2-1024x401.png\")
Figure 7- De-obfuscated VBA macro (stage 2)<\/figcaption><\/figure>\n An interesting characteristic of this sample is that some of the strings like CLSID, URL for downloading Ursnif, and environment variables names are stored in custom document properties in reverse. As shown in Figure-7, VBA function \u201cActiveDocument.CustomDocumentProperties()” is used to retrieve the properties and uses “StrReverse” to reverse the contents.<\/span>\u00a0<\/span><\/p>\n
We can see the document properties in Figure-8\u00a0<\/span>\u00a0<\/span><\/p>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/img.png\")
<\/p>\n![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-8-Document-properties.png\")
Figure 8- Document properties<\/figcaption><\/figure>\n Payload Download and Execution:<\/span>\u00a0<\/span><\/h2>\n
The malicious macro retrieves hidden shellcode from a custom property named “Company” using the “cdec” function that converts the shellcode from string to decimal\/hex value and executes it. The shellcode is shown below.<\/span>\u00a0<\/span><\/p>\n
![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-9-Raw-Company-property.png\")
Figure 9- Raw Company property<\/figcaption><\/figure>\n The<\/span> shellcode <\/span>is <\/span>written<\/span> to <\/span>memory and the<\/span> access protection<\/span> is changed to <\/span>PAGE_<\/span>EXECUTE_READWRITE<\/span><\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n
![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-10-Code-of-VirtualProtect.png\")
Figure 10- Code of VirtualProtect<\/figcaption><\/figure>\n ![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-11-Shellcodes-memory-and-protection-after-calling-VirtualProtect.png\")
Figure 11- Shellcode\u2019s memory and protection after calling VirtualProtect()<\/figcaption><\/figure>\n After <\/span>adding<\/span> the shellcode in memory, <\/span>the <\/span>environment variable containing the malicious <\/span>URL of <\/span>Ursnif<\/span> payload is created.<\/span> This Environment variable will be <\/span>later used by the shellcode<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n
![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-12-Environment-variable-set-in-Winword.exe-space.png\")
Figure 12- Environment variable set in Winword.exe space<\/figcaption><\/figure>\n The shellcode is executed with the use of the SetTimer API. SetTimer creates a timer with the specified time-out value mentioned and notifies a function when the time is elapsed. The 4<\/span>th<\/span> parameter used to call SetTimer is the pointer to the shellcode in memory which will be invoked when the mentioned time is elapsed.<\/span>\u00a0<\/span><\/p>\n
![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-13-SetTimer-function-Execution-of-shellCode.png\")
Figure 13- SetTimer function (Execution of shellCode)<\/figcaption><\/figure>\n The shellcode downloads the file from the URL stored in the environmental variable and stores it as ” y9C4A.tmp.dll ” and executes it with rundll32.exe.<\/span>\u00a0<\/span><\/p>\n
\n\n
\n URL<\/span>\u00a0<\/span><\/td>\n hxxp:\/\/docmasterpassb.top\/kdv\/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM\/<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n CMD<\/span>\u00a0<\/span><\/td>\n rundll32 “C:\\Users\\user\\AppData\\Local\\Temp\\y9C4A.tmp.dll”,DllRegisterServer<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n ![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-14-Exports-of-Downloaded-DLL-1024x867.png\")
Figure 14- Exports of Downloaded DLL<\/figcaption><\/figure>\n After successful execution of the shellcode, the environment variable is removed.<\/span>\u00a0<\/span><\/p>\n
![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/Figure-15-Removal-of-Environment-Variable.png\")
Figure 15- Removal of Environment Variable<\/figcaption><\/figure>\n IOC<\/span>\u00a0<\/span><\/h2>\n
\n\n
\n TYPE<\/span><\/b>\u00a0<\/span><\/td>\n VALUE<\/span><\/b>\u00a0<\/span><\/td>\n PRODUCT<\/span><\/b>\u00a0<\/span><\/td>\n DETECTION NAME<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n \n Main Word Document<\/span>\u00a0<\/span><\/td>\n 6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f<\/span>\u00a0<\/span><\/td>\n McAfee LiveSafe and Total Protection<\/span>\u00a0<\/span><\/td>\n X97M\/Downloader.CJG<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n Downloaded dll<\/span>\u00a0<\/span><\/td>\n 41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547<\/span>\u00a0<\/span><\/td>\n McAfee LiveSafe and Total Protection<\/span>\u00a0<\/span><\/td>\n Ursnif-FULJ<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n URL to download dll<\/span>\u00a0<\/span><\/td>\n hxxp:\/\/docmasterpassb.top\/kdv\/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM\/<\/span>\u00a0<\/span><\/td>\n WebAdvisor<\/span>\u00a0<\/span><\/td>\n Blocked<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n MITRE Attack Framework<\/span>\u00a0<\/span><\/h2>\n
\n\n
\n Technique ID<\/span><\/b>\u00a0<\/span><\/td>\n Tactic<\/span><\/b>\u00a0<\/span><\/td>\n Technique Details<\/span><\/b>\u00a0<\/span><\/td>\n Description<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n \n T1566.001<\/span><\/b>\u00a0<\/span><\/td>\n Initial Access<\/span>\u00a0<\/span><\/td>\n Spear phishing Attachment<\/span>\u00a0<\/span><\/td>\n Manual execution by user<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n T1059.005<\/span><\/b>\u00a0<\/span><\/td>\n Execution<\/span>\u00a0<\/span><\/td>\n Visual Basic<\/span>\u00a0<\/span><\/td>\n Malicious VBA macros<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n T1218.011<\/span><\/b>\u00a0<\/span><\/td>\n Defense Evasion<\/span>\u00a0<\/span><\/td>\n Signed binary abuse<\/span>\u00a0<\/span><\/td>\n Rundll32.exe is used<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n T1027<\/span><\/b>\u00a0<\/span><\/td>\n Defense Evasion<\/span>\u00a0<\/span><\/td>\n Obfuscation techniques<\/span>\u00a0<\/span><\/td>\n VBA and powershell base64 executions<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n T1086<\/span><\/b>\u00a0<\/span><\/td>\n Execution<\/span>\u00a0<\/span><\/td>\n Powershell execution<\/span>\u00a0<\/span><\/td>\n PowerShell command abuse<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \u00a0<\/span>Conclusion<\/span>\u00a0<\/span><\/h2>\n
Macros are disabled by default in Microsoft Office applications, we suggest keeping it that way unless the document is received from a trusted source. The infection chain discussed in the blog is not limited to Word or Excel. Further threats may use other live-off-the-land tools to download its payloads.\u00a0<\/span>\u00a0<\/span><\/p>\n
McAfee customers are protected against the malicious files and sites detailed in this blog with McAfee LiveSafe\/Total Protection and McAfee Web Advisor.<\/span>\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
Authored by Jyothi Naveen and Kiran Raj McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft…<\/p>\n","protected":false},"author":695,"featured_media":153711,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[4452,214],"coauthors":[4136],"class_list":["post-153472","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-cybersecurity","tag-mobile-security1"],"acf":[],"yoast_head":"\n
Phishing Campaigns featuring Ursnif Trojan on the Rise | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Jyothi Naveen and Kiran Raj McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Phishing Campaigns featuring Ursnif Trojan on the Rise | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Jyothi Naveen and Kiran Raj McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-08T04:29:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-12T19:28:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/300x200_Blog_MFE_Blogs_051722_Blog-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Phishing Campaigns featuring Ursnif Trojan on the Rise\",\"datePublished\":\"2022-06-08T04:29:40+00:00\",\"dateModified\":\"2023-07-12T19:28:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/\"},\"wordCount\":957,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/300x200_Blog_MFE_Blogs_051722_Blog-1.jpg\",\"keywords\":[\"cybersecurity\",\"mobile security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/\",\"name\":\"Phishing Campaigns featuring Ursnif Trojan on the Rise | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/300x200_Blog_MFE_Blogs_051722_Blog-1.jpg\",\"datePublished\":\"2022-06-08T04:29:40+00:00\",\"dateModified\":\"2023-07-12T19:28:07+00:00\",\"description\":\"Authored by Jyothi Naveen and Kiran Raj McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/300x200_Blog_MFE_Blogs_051722_Blog-1.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/300x200_Blog_MFE_Blogs_051722_Blog-1.jpg\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Phishing Campaigns featuring Ursnif Trojan on the Rise\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Phishing Campaigns featuring Ursnif Trojan on the Rise | McAfee Blog","description":"Authored by Jyothi Naveen and Kiran Raj McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Phishing Campaigns featuring Ursnif Trojan on the Rise | McAfee Blog","og_description":"Authored by Jyothi Naveen and Kiran Raj McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2022-06-08T04:29:40+00:00","article_modified_time":"2023-07-12T19:28:07+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/300x200_Blog_MFE_Blogs_051722_Blog-1.jpg","type":"image\/jpeg"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Phishing Campaigns featuring Ursnif Trojan on the Rise","datePublished":"2022-06-08T04:29:40+00:00","dateModified":"2023-07-12T19:28:07+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/"},"wordCount":957,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/300x200_Blog_MFE_Blogs_051722_Blog-1.jpg","keywords":["cybersecurity","mobile security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/","name":"Phishing Campaigns featuring Ursnif Trojan on the Rise | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/300x200_Blog_MFE_Blogs_051722_Blog-1.jpg","datePublished":"2022-06-08T04:29:40+00:00","dateModified":"2023-07-12T19:28:07+00:00","description":"Authored by Jyothi Naveen and Kiran Raj McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/300x200_Blog_MFE_Blogs_051722_Blog-1.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/05\/300x200_Blog_MFE_Blogs_051722_Blog-1.jpg","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-campaigns-featuring-ursnif-trojan\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Phishing Campaigns featuring Ursnif Trojan on the Rise"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/153472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=153472"}],"version-history":[{"count":1,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/153472\/revisions"}],"predecessor-version":[{"id":171575,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/153472\/revisions\/171575"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/153711"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=153472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=153472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=153472"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=153472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}