A new phishing campaign is detected in the wild that was spreading a fresh variant of the Ursnif Trojan via an attached MS Word document. The campaign is continuously targeting Italy. Although Ursnif is identified as a banking Trojan, due to its C2 server’s shutdown, this latest variant has been unable to download the malicious banking module it needs to steal banking information from the victim, causing it to fail to start the second stage of its attack. The email content used in this malspam campaign is translated as:
A recent accounting audit shows that your invoice number 294316 of 12/10/2020 expired on 12/11/2020. As of today, it is not yet been paid by you.
Therefore, please normalize your accounting position as soon as possible. We are also reminding you that this payment can be made by bank transfer using the IBAN indicated in the invoice or, by bank check or bank draft.
You can consult the invoice and the details for the payment through the attached archive.
We thank you for your attention and we send you kind regards.
Attached to the email is an MS Word document named “residuo_8205843.doc”. The text lures the victim into opening the document to get more details of the invoice.