Two distinct campaigns spread GandCrab ransomware and Ursnif Trojan via weaponized docs

Pierluigi Paganini January 25, 2019

Security experts observed two distinct campaigns distributing the Ursnif malware, one of them also delivered the GandCrab ransomware.

Experts pointed out that the cybercrime gangs behind the two campaigns are different, but they discovered many similarities in them.

Attackers spread phishing messages using weaponized Microsoft Word document and leverages Powershell to deliver fileless malware.

Ursnif is a banking trojan that was spreading since November 2017, it is also able to monitor browsing activities, collect keystrokes, system and process information, and deliver additional payloads.

GandCrab is a popular ransomware that has been active since early 2018.

Security experts at Carbon Black observed nearly 180 variants of weaponized MS Word documents associated with one of the campaigns.

“This campaign originally came in via phishing emails that contained an attached Word document with embedded macros, Carbon Black located roughly 180 variants in the wild.”  reported Carbon Black.

The macro would call an encoded PowerShell script and then use a series of techniques to download and execute both a Ursnif and GandCrab

The first malware campaign distributing two malware threats was discovered by security researchers at Carbon Black who located approximately 180 variants of MS Word documents in the wild that target users with malicious VBS macros.

Once the victims have executed the malicious VBS macro it runs a PowerShell script that uses a series of techniques to download and execute both Ursnif and GandCrab.

Ursnif and GandCrab

The PowerShell script is encoded in base64, it executes the next stage malware, a PowerShell one-liner, that downloads the final malware payloads from the Pastebin website that is executed in memory.

The first payload is a PowerShell one-liner that evaluates the architecture of the targeted system and then accordingly downloads an additional payload from the Pastebin website, which is executed in the memory,

“Once the raw contents of the post were downloaded, that data would also be executed in memory.  In the variants that were obtained during this campaign the file contained a PowerShell script that was approximately 2800 lines.” reads the analysis.

“This PowerShell script is a version of the Empire Invoke-PSInject module, with very few modifications,” Carbon Black researchers said. “The script will take an embedded PE [Portable Executable] file that has been base64 encoded and inject that into the current PowerShell process.”

The final payload installs a variant of the GandCrab ransomware on the infected system, it also downloads a Ursnif executable from a remote server and executed it to gather information on the systems and monitor the victims’ activities.

“However, numerous Ursnif variants were hosted on the bevendbrec[.]com site during this campaign. Carbon Black was able to discover approximately 120 different Ursnif variants that were being hosted from the domains iscondisth[.]com and bevendbrec[.]com,” continue the analysis.

The activity of Ursnif malware was also observed by Cisco Talos that uncovered a second campaign using a different variant.
“There are three parts to the [PowerShell] command. The first part creates a function that is later used to decode base64 encoded PowerShell. The second part creates a byte array containing a malicious DLL,” Talos researchers explained.

“The third part executes the base64 decode function created in the first part, with a base64 encoded string as the parameter to the function. The returned decoded PowerShell is subsequently executed by the shorthand Invoke-Expression (iex) function.”

This variant, like others, collects information on the infected systems. The threat stores into a CAB file format and then sends the C2 server over HTTPS connection.

Early December, security experts at Yoroi-Cybaze ZLAB discovered a new variant of the Ursnif malware that hit Italian users through a malspam campaign. Researchers at Yoroi-Cybaze ZLAB isolated several malicious emails having the following content:

  • Subject: “VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA”
  • Attachment: “”

The content of the attachment was a .js file and when it is launched, starts the infection by downloading other components from the Internet.

The whole infection was composed of four stages: the generation of network noise to hide the attacker’s infrastructure, the download of the executable payload, the achievement of persistence through the registry key installed and the checking and the download of the Ursnif modules.

Back to the current campaigns, both analyses include the list of indicators of compromise (IoCs).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Ursnif, spam)

[adrotate banner=”5″] [adrotate banner=”13″]

you might also like

leave a comment