Salfram ! Banking Malware

A recently uncovered malicious email campaign is delivering to businesses multiple types of malware, including a Trojan designed to steal banking credentials and other financial information.

This email campaign, which started in January and remains active, also uses several techniques to evade detection and maximize its effectiveness, according to the report.

Email Campaign


The threat actors initially target organizations by leveraging the contact forms that are typically present on websites, the report notes.

In their initial emails submitted via those forms, the threat actors raise concerns about copyright violations related to certain images posted on the victim organization’s website. The attackers then embed a URL within this message and urge the targeted victim to click on it.

When the victim clicks this link, they are directed to a malicious Microsoft Word document that is hosted on Google Drive. When opened, this document enables macros that then download the malware to the compromised device, the researchers discovered.

“The use of a legitimate web platform for hosting the malicious content may provide another way for the attacker to evade various protections that may be deployed in environments that they are targeting,”.

Over the course of the campaign, the types of malware used by the threat actors varies, but it appears the threat actors always add the same crypter into the payload to help obfuscate the malicious content and make analysis more difficult.

“The crypter used in these campaigns is undergoing active development and improvements to obfuscate the contents of malware payloads,”.

Attacks Using Malware

ZLoader, which is a descendant of Zeus banking malware, has been in use by cybercriminals since December 2019. The malware has been included in emails sent by various criminal groups that try to lure victims by using a variety of themes, including COVID-19 testing and pandemic-related scam prevention.

Gozi ISFB, which is also known as Ursnif and Dreambot, is designed to steal passwords and credentials from victims – with a particular focus on the banking and financial sectors.

In August 2019, researchers at Fortinet uncovered a new variant of the Ursnif Trojan attempting to steal banking passwords and other credentials after being distributed through infected Microsoft Word documents

In March 2019, security researchers at Cybereason discovered a variant of the Ursnif malware that targeted Japanese-speaking bank customers

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s