GandCrab ransomware and Ursnif virus spreading via MS Word macros

Today! Cybersecurity researchers have found two new and distinct malware campaigns.
First of them is distributing 2 big and well known cyber threats: the Ursnif data-stealing trojan and the GandCrab ransomware; the second one is only delivering the Ursnif malware.

For those who don’t know, Ursnif is a data-stealing malware that steals sensitive information from infected devices (banking credentials, browsing activities, keystrokes, system, and process information, and can deploy additional backdoors). GandCrab is the most well known and dangerous ransomware in the cyberspace, it encrypts files on an infected system and harasses victims to pay a ransom in digital currency to unlock them.

These two campaigns are operated by two separate hacker groups. But they share some common points: both cyber campaigns start with phishing emails containing an attached Microsoft Word document that is containing malicious macros which use Powershell to deliver fileless malware.
The first malware campaign delivers two malware via 180 variants of MS Word documents that have embedded malicious VBS macros.

When a malicious VBS macro is run, a PowerShell script downloads and executes both Ursnif and GandCrab on the victims’ devices.
The main PowerShell script is encrypted in base64 his role is to execute the next stage of infection which is responsible for downloading the main malware.

The PowerShell script is a version of the Empire Invoke-PSInject module, with some modifications that are used to inject malicious code into the current PowerShell process.

The injected malicious code then installs a variant of the GandCrab ransomware on the victim’s system, locking them out of their system until they pay a ransom in cyber coins. But at the same time, it also downloads a Ursnif executable that will fingerprint the system, monitor web browser and collect data.

Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;

The second malware campaign is almost the same, it too leverages a Microsoft Word document that has malicious VBA macros, which are used to deploy a different variant of Ursnif malware.
This cyber attack infects targeted systems in multiple similar stages. It starts with phishing emails that deliver malicious PowerShell commands; then after the persistence is established the Ursnif data-stealing virus is downloaded and installed.

Here there are three stages of PowerShell command.
It starts with the creation of a function that is used to decode the base64 encoded PowerShell. Then in the second stage is created a byte array that is containing a malicious DLL.

The final stage executes the base64 decode function created in the first part, with a base64, then the decoded PowerShell is executed by the Invoke-Expression (iex) function.
Then the decoded malicious code is run on the victim computer, the malware collects information from the system, that is stored into a CAB file, and then it sends it to the command-and-control server via an HTTPS secure connection.

We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.