There is currently an increasing number of emails with dangerous file attachments in circulation

Trojan warning “Ursnif” is hidden in a Word file – The most important thing to start with:

  1. Current wave of Trojans in German-speaking countries due to emails being sent with infected files
  2. Unpacking the archive and opening the Word document brings Trojans onto the computer
  3. A healthy distrust of such emails is appropriate

Current wave: The Trojan “Ursnif” is hidden in a zip archive that contains a Word file and is sent as an attachment to an email. The malware targets, among other things, account data. In Germany, business emails that at first glance appear legitimate are currently landing in inboxes. Attached is a zip archive containing a Word document. banking Trojan contained therein is intended to be brought to Windows PCs and, among other things, copies log-in data.

Example of what an email like this can look like
Example of what an email like this can look like

Admins at Heise Online have already drawn attention to this and readers have also contacted us about it. The Internet Storm Center also warns of the trojan wave in an article. Here you will also be informed about how to recognize a possible infection.

Antivirus programs cannot alert

The archive is password protected, so antivirus programs are unable to scan it and alert the user. So that you can open the archive, you will receive the associated password in the email.

If you open the file attachment, you will be asked to enter the password here, which is in the email
If you open the file attachment, you will be asked to enter the password here, which is in the email

Some of the emails come from well-known senders, relate to existing projects in companies and therefore appear very credible.

How does the Trojan get onto the PC?

If you open the archive, you load a Word document onto your computer that is prepared for the Trojan download. According to the analysis platform Virustotal, only a fraction of anti-virus monitors manage to alert correctly at the time of the report. If you then open the Word file, which is often disguised as an invoice, and activate the macro function as described in the document, you allow the Trojan onto your computer.

[mk_ad]

These macros generally only work with Microsoft Office. Downloading the Trojan should not work with LibreOffice and OpenOffice. Macros are disabled by default in Word for security reasons. However, you can activate this, which many attackers take advantage of. message from heise Security shows how to handle Doc files safely .

Think first, then click!

You should always be a little suspicious of emails with file attachments or links. Especially if you don't expect such a message, you should ask the sender in advance whether this email actually comes from them before opening the attachments or clicking on links.

Source: Heise Online
Article image: Shutterstock / From one photo


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )