Ursnif/Gozi Delivery: Old School Excel Macro 4.0 Utilization Uptick and the OCR Heuristics Bypass
released on 2020-06-04 @ 07:23:57 PM
Morphisec has been tracking an uptick in the delivery of Ursnif/Gozi during the COVID-19 pandemic. Specifically, we have noticed a significant spike both in numbers and sophistication. The latest delivery methods will many times involve old-school Excel 4.0 macro functionality, which historically is a blind spot for AV detection as it has nothing to do with the VBA macro engine and is integrated as part of the workbook.