Best Top Reviews Online

Gandcrab Ransomware And Ursnif Virus Spreading Via MS Word Macros

Researchers have discovered two distinct malware campaigns, one of which distributes the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, and the other of which infects victims only with the Ursnif malware.

Even though both malware campaigns appear to be the work of different cybercriminal organizations, they share many similarities. Each attack begins with a phishing email containing a Microsoft Word attachment containing malicious macros and then uses Powershell to deliver fileless malware.

Ursnif is a data-stealing malware that typically steals sensitive information from compromised computers, including banking credentials, browsing history, keystrokes, system and process data, and the ability to deploy additional backdoors.

GandCrab is a widespread ransomware threat that, like every other ransomware on the market, encrypts files on an infected system and requires victims to pay a ransom in digital currency to decrypt them. GandCrab was discovered early last year. Its developers prefer DASH payments, which are more difficult to track.

MS Word documents plus VBS macros equal Ursnif and GandCrab infection

Security researchers at Carbon Black located approximately 180 variants of MS Word documents that target users with malicious VBS macros and discovered the first malware campaign distributing two malware threats.

If successfully executed, the malicious VBS macro launches a PowerShell script that employs a series of techniques to download and execute Ursnif and GandCrab on the targeted systems.

The base64-encoded PowerShell script executes the subsequent infection stage, which is responsible for downloading the system-compromising malware payloads.

The initial payload is a PowerShell one-liner that evaluates the architecture of the targeted system and then downloads an additional payload from the Pastebin website. This additional payload is executed in memory, making it difficult for conventional anti-virus techniques to detect its activities.

This PowerShell script is a minimally modified version of the Empire Invoke-PSInject module, according to researchers at Carbon Black. “The script will take a base64-encoded embedded PE [Portable Executable] file and inject it into the current PowerShell process.”

The final payload then installs a variant of the GandCrab ransomware on the victim’s system, preventing access until a ransom is paid in digital currency.

The malware also downloads an Ursnif executable from a remote server, which, once executed, will fingerprint the system, monitor web browser traffic to collect data, and then send it to the command and control (C&C) server of the attackers.

“During this campaign, however, numerous Ursnif variants were hosted on the website. Carbon Black was able to identify approximately 120 distinct Ursnif variants hosted on the iscondisth[.]com and bevendbrec[.]com domains “researchers stated.

MS Word documents plus VBS macros equal Ursnif data-stealing malware

Similarly, the second malware campaign discovered by security researchers at Cisco Talos utilizes a Microsoft Word document containing a malicious VBA macro to distribute an additional variant of the same Ursnif malware.

This malware attack compromises targeted systems in multiple stages, beginning with phishing emails, then executing malicious PowerShell commands to achieve fileless persistence, and finally downloading and installing the Ursnif virus that steals sensitive data.

“The [PowerShell] command consists of three parts. The first section creates a function for decoding base64-encoded PowerShell. The second section generates an array of bytes containing a malicious DLL “Researchers from Talos explained.

“The third section executes the base64 decode function created in the first section, passing an encoded string as the function’s parameter. The returned decoded PowerShell is executed by the Invoke-Expression (iex) shorthand function.”

Once the malware is executed on the victim’s computer, it collects information from the system, stores it in a CAB file format, and then transmits it to its command-and-control server over an HTTPS-secure connection.

In their blog post, Talos researchers have provided a list of indicators of compromise (IOCs), as well as the names of payload files dropped on compromised machines, that can be used to detect and stop the Ursnif malware before it infects your network.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Dark Web Markets Evolve During the Third Quarter

January 1, 2019

In Q3 the Dark Web is characterized by vulnerabilities, stolen credentials, and the evolution of marketplaces. McAfee’s Q3 analysis reveals that after Hansa and AlphaBay were shut down on the Dark Web, Dream Markets and Wall Street Market became the…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of