THREAT REMOVAL

Remove Ursnif Trojan (Purolator Phishing) Scam

This article will aid you to remove the Ursnif Trojan (Purolator phishing scam) completely. Follow the Trojan horse removal instructions given at the end of the article.

Ursnif Trojan is a banking Trojan horse that is recently being spread via a Purolator phishing scam with a message stating that you have a package. one of the most spread messages, says: Purolator have a package for you. Pop-ups that show constantly can also lock your browser on that page. E-mail campaigns are also spreading the phishing scam. You might experience redirects. The browser can be shut down without any negative impact, but in other cases your system and browser could get affected with the Ursnif Trojan. Most variants of this scam feature a background image that aims to utilize the brand and logo of Purolator shipping company.

Threat Summary

NameUrsnif Trojan horse
TypeTrojan horse, Phishing Scam
Short DescriptionPhishing scam which is trying to take you (with click-bait and social engineering tactics) to a Purolator Phishing page that spreads the Ursnif Trojan or other viruses.
SymptomsPop-up boxes, messages, and redirects appear in your browser or such are send in your email. It is not excluded for there to be a lockscreen function among these that keeps prompting you to click a link.
Distribution MethodSuspicious Sites, Redirects, Email Phishing Links
Detection Tool See If Your System Has Been Affected by malware

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Ursnif Trojan horse.

Ursnif Trojan (Purolator Phishing) Scam — Update October 2019

A recently discovered campaign distributing the Ursnif Trojan has been detected by computer specialists. This discovery shows that this malware is still being used actively by computer hacking groups, showing the possibility that it is available on the underground hacker portals and further customized by criminals. It appears that the active ongoing campaign targets primarily Italy and Canada using phishing strategies focusing on sending out email messages that will include malware files. The data in question is macro-infected documents which are either attached to the messages or embedded in the emails. The emails themselves are designed to appear as legitimate notifications or service announcements and the users are manipulated into clicking on them. The documents can be of all popular file formats, including presentations, databases, text files and spreadsheets. As soon as they are opened a prompt will appear asking the users to enable the built-in code in order to correctly vie the contents.

The execution o the macros can deliver the malware file which wll self-execute itself. An alternative is to send out double extension files which when run will start a .zip archive that includes a built-in executable. When started the infection will start a dangerous sequence which will run the following modules:

  • Web Browser Interaction — The main engine associated with the Trojan can interact with the installed web browsers by accessing the contained within data and it can also modify the settings by always redirecting to a certain hacker-controlled web page.
  • System Reconfiguration — The Ursnif Trojan is capable of editing out the configuration files of the operating system or any of the installed user software.
  • Additional Malware Delivery — The Ursnif Trojan can be a very effective tool for deploying other viruses onto the already compromised computers.

Ursnif Trojan (Purolator Phishing) Scam – Distribution Techniques

Browsing the Web can be dangerous, especially when you reach new and unknown websites by causally browsing and they turn out to be malicious. Clicking on advertisements or targeted content could have hidden links that redirect you to dubious online places. Other websites could be filled with advertisements and redirect links and you could land on a page such as the Ursnif Trojan (Purolator Phishing) one.

Email campaigns that spread malicious links, ads, attachments and link to phishing landing pages are connected with the spread of the Purolator Phishing Scam which loads the Ursnif Trojan horse to your system. The attachments can be Microsoft Word documents with embedded VBS Macros that are malicious. The said macros run a PowerShell script, which downloads Ursnif to a compromised PC. In the above two pictures (above this paragraph and in the very beginning of the article) you can see exactly how one such email message is presented to potential victims in terms of content, which is:

Your parcel is registered with the branch of Canada Post.
You may get track number immediately with our online Track instrument PRESS HERE or digit it in your web browser http://canadacpost(.)tk/treck21413252.zip
Our tracking system is refreshed every 24 hours to provide you with the most current information available about the geographic position and status of your item.

That is one of the messages that spread via email and is seen above the last paragraph in this section of the article. If you have downloaded a .zip file that you are suspicious of, you can always check its contents for malware with ZipeZip Online Scanner. However, do not be tempted to open any links from emails especially if they look like the one discussed above or if they are sent from an unknown (unverified) source.

Ursnif Trojan (Purolator Phishing) Scam – In Greater Depth

Ursnif Trojan is being pushed by a number of Purolator phishing scam messages. The scam has a few, different landing pages, which use the brand, logo, design and fonts of Purolator, including their official site’s text and element placement. All of this is done to try to convince you into clicking somewhere and entering your credential details on a phishing page. Thus your account and profile data can get stolen and hijacked or just spoofed so they can be sold somewhere.

In the screenshot image below, you can see one of the scam pages that have a convincing message using the Purolator brand that require you to click somewhere on the page:

If you indeed click on the spot which cybercriminals wish you to click, you could get redirected to a phishing page and/or get your computer system infected with the Ursnif Trojan (Purolator Phishing) threat.

The message in the above snapshot of the current Ursnif Trojan (Purolator Phishing) scam states the following:

PUROLATOR HAVE A PACKAGE FOR YOU!
HOW TO GET YOUR PACKAGE IN ONE PIECE
Please follow the steps below.
Download the Purolator Label containing your tracking number.

[Click here for your label]

After downloading your label,open the label information and locate your tracking number. You may reschedule a redeliver from us or arrange a pick up from our location.

Purolator Your Shipping Solutions

All of these Ursnif Trojan (Purolator Phishing) scams could also be displayed with pop-ups as alerts around websites, applications, emails and other means. Ursnif v3 Banking Trojan has been spotted to have sophisticated targeting techniques in the past so it is no wonder that it has decided to use a phishing scam for one of Canada’s most known shipping services.

In case there is a telephone number present somewhere on the site, know that the criminals standing on the other end of the telephone line will try to trick you in giving them information related to Purolator or that is even more personal. Do not believe if they present themselves as employees in Purolator or another notable company. However, know that the Ursnif Trojan might use a silence dropper technique that could trigger by just opening the Purolator Phishing scam page.

Browsers you have installed or your computer screen can become locked and may seem like your whole screen is blocked and totally inaccessible. In such a situation, you could try clicking the “Windows” button and combinations such as “Ctrl+Alt+Del” or even the “Close” button to check if you still can interact with your computer device.

You could also get prompted to download and install a tool which might be the Ursnif Trojan or some other malware. Keep in mind that it is all part of the scam and you shouldn’t follow any instructions given on your computer screen.

If you see any similar messages, know that they aren’t coming from Purolator. Also, no matter how many pop-ups, alerts and message boxes are shown, try to remember that this is a sophisticated scam that wants to harm your computer or steal credentials, banking data or other information from you.

Ursnif Trojan (Purolator Phishing) Scam – How to Avoid?

In this section, you will find out a simple set of rules and guidelines to follow in order to prevent yourself from falling in a trap related to Ursnif Trojan (Purolator phishing) scam and other related threats. So, if you are reading this article, you should now know that there is a multitude of scams involving a Purolator shipment or parcel notifications. Below you will see what you should do.

Purolator’s official warning alert should be enough of a hint to you that there are such scams pushed time and time again. For further reference, the web address for the official Purolator website is https://www.purolator.com/en/home.page and its main page is displayed below:

As you now know about the existence of the emails involving the Ursnif Trojan (Purolator phishing) scam and the official Purolator site page, refer to the following guidelines on how to avoid most scams linked to using the shipping brand for their schemes:

  • Never pay before your goods get delivered
  • Do not provide any details about you, your addresses or similar information via email or unknown Websites
  • Do not open email attachments, as Purolator does not send such, neither it requests users to open such
  • Always use Purolator’s official website to refer to pages in connection with the service
  • Avoid messages with grammatical or typographical errors
  • Avoid emails that are not addressed to you by name
  • Avoid messages sent by a service you don’t expect to hear from
  • Avoid messages that do not include a tracking number or specific details about your order or address
  • Avoid clicking on links to provide your email address for verification
  • Avoid payments to someone whose identity you can’t confirm

The guideline rules listed above were constructed by the SensorsTechForum team, via a research done on the matter. These rules are based on common sense and depending on the various scams related to Purolator.

Remove Ursnif Trojan (Purolator Phishing) Scam

To remove the Ursnif Trojan (Purolator Phishing) scam and its related Trojan horse files manually from your PC, follow the step-by-step removal instructions provided below. If the manual removal guide does not get rid of the scam and its redirects completely, you should search for and remove any leftover items with an advanced anti-malware tool. Software like that will keep your system secure in the future.

Tsetso Mihailov

Tsetso Mihailov

Tsetso Mihailov is a tech-geek and loves everything that is tech-related, while observing the latest news surrounding technologies. He has worked in IT before, as a system administrator and a computer repair technician. Dealing with malware since his teens, he is determined to spread word about the latest threats revolving around computer security.

More Posts

Follow Me:
Twitter


Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer

How to Remove Ursnif Trojan horse from Windows.


Step 1: Boot Your PC In Safe Mode to isolate and remove Ursnif Trojan horse

OFFER

Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your PC with SpyHunter

Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter's EULA, Privacy Policy and Threat Assessment Criteria

1. Hold Windows key() + R


2. The "Run" Window will appear. In it, type "msconfig" and click OK.


3. Go to the "Boot" tab. There select "Safe Boot" and then click "Apply" and "OK".
Tip: Make sure to reverse those changes by unticking Safe Boot after that, because your system will always boot in Safe Boot from now on.


4. When prompted, click on "Restart" to go into Safe Mode.


5. You can recognise Safe Mode by the words written on the corners of your screen.


Step 2: Uninstall Ursnif Trojan horse and related software from Windows

Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it. To do that:


1. Hold the Windows Logo Button and "R" on your keyboard. A Pop-up window will appear.


2. In the field type in "appwiz.cpl" and press ENTER.


3. This will open a window with all the programs installed on the PC. Select the program that you want to remove, and press "Uninstall"
Follow the instructions above and you will successfully uninstall most programs.


Step 3: Clean any registries, created by Ursnif Trojan horse on your computer.

The usually targeted registries of Windows machines are the following:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

You can access them by opening the Windows registry editor and deleting any values, created by Ursnif Trojan horse there. This can happen by following the steps underneath:

1. Open the Run Window again, type "regedit" and click OK.


2. When you open it, you can freely navigate to the Run and RunOnce keys, whose locations are shown above.


3. You can remove the value of the virus by right-clicking on it and removing it.
Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.

IMPORTANT!
Before starting "Step 4", please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Step 4: Scan for Ursnif Trojan horse with SpyHunter Anti-Malware Tool

1. Click on the "Download" button to proceed to SpyHunter's download page.


It is recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter. Click on the corresponding links to check SpyHunter's EULA, Privacy Policy and Threat Assessment Criteria.


2. After you have installed SpyHunter, wait for it to update automatically.

SpyHunter5-update-2018


3. After the update process has finished, click on the 'Malware/PC Scan' tab. A new window will appear. Click on 'Start Scan'.

SpyHunter5-Free-Scan-2018


4. After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the 'Next' button.

SpyHunter-5-Free-Scan-Next-2018

If any threats have been removed, it is highly recommended to restart your PC.


Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer

Get rid of Ursnif Trojan horse from Mac OS X.


Step 1: Uninstall Ursnif Trojan horse and remove related files and objects

OFFER
Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your Mac with SpyHunter for Mac
Keep in mind, that SpyHunter for Mac needs to purchased to remove the malware threats. Click on the corresponding links to check SpyHunter’s EULA and Privacy Policy


1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:


2. Find Activity Monitor and double-click it:


3. In the Activity Monitor look for any suspicious processes, belonging or related to Ursnif Trojan horse:

Tip: To quit a process completely, choose the “Force Quit” option.


4. Click on the "Go" button again, but this time select Applications. Another way is with the ⇧+⌘+A buttons.


5. In the Applications menu, look for any suspicious app or an app with a name, similar or identical to Ursnif Trojan horse. If you find it, right-click on the app and select “Move to Trash”.


6: Select Accounts, after which click on the Login Items preference. Your Mac will then show you a list of items that start automatically when you log in. Look for any suspicious apps identical or similar to Ursnif Trojan horse. Check the app you want to stop from running automatically and then select on the Minus (“-“) icon to hide it.


7: Remove any left-over files that might be related to this threat manually by following the sub-steps below:

  • Go to Finder.
  • In the search bar type the name of the app that you want to remove.
  • Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
  • If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.

In case you cannot remove Ursnif Trojan horse via Step 1 above:

In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:

Disclaimer! If you are about to tamper with Library files on Mac, be sure to know the name of the virus file, because if you delete the wrong file, it may cause irreversible damage to your MacOS. Continue on your own responsibility!

1: Click on "Go" and Then "Go to Folder" as shown underneath:

2: Type in "/Library/LauchAgents/" and click Ok:

3: Delete all of the virus files that have similar or the same name as Ursnif Trojan horse. If you believe there is no such file, do not delete anything.

You can repeat the same procedure with the following other Library directories:

→ ~/Library/LaunchAgents
/Library/LaunchDaemons

Tip: ~ is there on purpose, because it leads to more LaunchAgents.


Step 2: Scan for and remove malware from your Mac

When you are facing problems on your Mac as a result of unwanted scripts, programs and malware, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.



Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer


Remove Ursnif Trojan horse from Google Chrome.


Step 1: Start Google Chrome and open the drop menu


Step 2: Move the cursor over "Tools" and then from the extended menu choose "Extensions"


Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.


Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.


Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer


Erase Ursnif Trojan horse from Mozilla Firefox.

Step 1: Start Mozilla Firefox. Open the menu window


Step 2: Select the "Add-ons" icon from the menu.


Step 3: Select the unwanted extension and click "Remove"


Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.



Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer


Uninstall Ursnif Trojan horse from Microsoft Edge.


Step 1: Start Edge browser.


Step 2: Open the drop menu by clicking on the icon at the top right corner.


Step 3: From the drop menu select "Extensions".


Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.


Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.



Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer


Remove Ursnif Trojan horse from Safari.


Step 1: Start the Safari app.


Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.


Step 3: From the menu, click on "Preferences".

stf-safari preferences


Step 4: After that, select the 'Extensions' Tab.

stf-safari-extensions


Step 5: Click once on the extension you want to remove.


Step 6: Click 'Uninstall'.

stf-safari uninstall

A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the Ursnif Trojan horse will be removed.


How to Reset Safari
IMPORTANT: Before resetting Safari make sure you back up all your saved passwords within the browser in case you forget them.

Start Safari and then click on the gear leaver icon.

Click the Reset Safari button and you will reset the browser.


Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer


Eliminate Ursnif Trojan horse from Internet Explorer.


Step 1: Start Internet Explorer.


Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'


Step 3: In the 'Manage Add-ons' window.


Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.


Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...