Malicious Email Campaign Containing Ursnif Keylogger Impacting New Jersey Organizations

On Wednesday afternoon, the NJCCIC received a Cyber Incident Report from an organization stating that several of its employees received a suspicious email containing a password-protected document. The NJCCIC email security team also verified that several New Jersey state employees received similar emails. The sender field contains a random name and the subject line contains the same name that is displayed in the signature of the email. The body of the email references a money transfer and contains a password to open and view the attached document. This attachment contains four embedded documents that, if opened, prompts the recipient to run a malicious JavaScript file that installs the Ursnif keylogger, a data-stealing Trojan that captures keystrokes made on the infected system. In April 2017, security firm PhishMe reportedobserving a similar widespread Ursnif distribution campaign that also used password-protected email attachments designed to trick recipients into installing the malware. 

The NJCCIC recommends warning end users about this threat and reminding them never to open emails from unknown senders. If applicable, review email quarantine logs and delete emails associated with this campaign prior to their release. If an end user on your network has already opened the email attachment, disconnect the impacted system from the network and thoroughly scan it and clean the infection. For associated IoCs, please see the article about this campaign published on BleepingComputer.