These files are accompanied by an email, describing the attachment as an invoice for some service your company has supposedly paid for. The instructions in the email helpfully include a password that can be used to open the file.
If a user double clicks the attachment, sure enough, they’re presented with a password prompt. Typing in the password brings up a word document that contains several other embedded docs.
If the user clicks on any of the embedded documents, they’ll be prompted to run a VBScript, and if they click “yes” to do so instead of opening the expected Word file, what actually happens is that the keylogger Ursnif is installed.
This keylogger not only logs all of the user’s keystrokes from that point on and stores them in an archive file, but also includes notes on any applications that are opened and copies of any files that are created. In addition, it makes copies of anything placed on the user’s clipboard.
The archive files created by the malware are then periodically shipped, via TOR, to the hackers for review.
It’s an amazingly effective solution, and it works because when a Word file is password protected, it becomes encrypted, which makes it harder for most antivirus software to detect any malware it might contain. It also relies heavily on social engineering, because after all, you’ve got diligent employees who want to do a good job, and will want to promptly pay their invoices. This is the key that gets a surprising percentage of them to open the poisoned files in the first place.
As ever, education is the order of the day here, and by far the best method of minimizing the impact of such an attack on your organization. Now would be a good time to remind all employees never to open attachments sent to them via unknown parties, and even if the sender is known, a great second step is to pick up the phone and call for verification.
Such steps can save you a lot of grief, and a lot of money.