A new malware campaign spreading the Ursnif banking Trojan using PowerShell to achieve fileless persistence was detected by Cisco’s Advanced Malware Protection (AMP) Exploit Prevention engine. The malware is an offspring of the original Gozi banking Trojan that got its source code leaked online during 2014. It uses Microsoft Word documents containing a malicious VBA macro that will automatically run using AutoOpen if macros are already enabled. The VBA macros contain a single line designed to execute the next infection stage by accessing the AlternativeText property of the Shapes object ‘j6h1cf’
Source: https://www.bleepingcomputer.com/news/security/new-ursnif-malware-campaign-uses-fileless-infection-to-avoid-detection/