Phishing Campaign Spreads Ursnif Trojan

The NJCCIC has detected a new phishing campaign that can bypass some email security gateways and deliver emails containing a malicious attachment to recipients. While the email subject lines vary, the Microsoft Word attachment file names are typically related to quotes for products or shipment information in an attempt to convince the user to open the file. If the macros in the attachment are enabled, the Ursnif trojan downloads onto the user's computer. This version of the Ursnif trojan is designed to collect information on the infected device and perform keylogging. Given the success of the email campaign in bypassing email security filters, the NJCCIC strongly recommends educating end users about the variety of email-based threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, be sure to run updated antivirus software on the system to detect and remove Ursnif infections and have them proactively change their passwords to any account accessed on the infected system.