Experts pointed out that the cybercrime gangs behind the two campaigns are different, but they discovered many similarities in them.
Attackers spread phishing messages using weaponized Microsoft Word document and leverages Powershell to deliver fileless malware.
Ursnif is a banking trojan that was spreading since November 2017, it is also able to monitor browsing activities, collect keystrokes, system and process information, and deliver additional payloads.
Security experts at Carbon Black observed nearly 180 variants of
“This campaign originally came in via phishing emails that contained an attached Word document with embedded macros, Carbon Black located roughly 180 variants in the wild.” reported Carbon Black.
“The macro would call an encoded PowerShell script and then use a series of techniques to download and execute both a Ursnif and
The first malware campaign distributing two malware threats was discovered by security researchers at Carbon Black who located approximately 180 variants of MS Word documents in the wild that target users with malicious VBS macros.
Once the victims have executed the malicious VBS macro it runs a PowerShell script that uses a series of techniques to download and execute both Ursnif and
The PowerShell script is encoded in base64, it executes the next stage malware, a PowerShell one-liner, that downloads the final malware payloads from the Pastebin website that is executed in
The first payload is a PowerShell one-liner that evaluates the architecture of the targeted system and then accordingly downloads an additional payload from the Pastebin website, which is executed in the memory,
“Once the raw contents of the pastebin.com post were downloaded, that data would also be executed in memory. In the variants that were obtained during this campaign the file contained a PowerShell script that was approximately 2800 lines.” reads the analysis.
“This PowerShell script is a version of the Empire Invoke-PSInject module, with very few modifications,” Carbon Black researchers said. “The script will take an embedded PE [Portable Executable] file that has been base64 encoded and inject that into the current PowerShell process.”
The final payload installs a variant of the GandCrab ransomware on the infected system, it also downloads a Ursnif executable from a remote server and executed it to gather information on the systems and monitor the victims’ activities.
“However, numerous Ursnif variants were hosted on the bevendbrec[.]com site during this campaign. Carbon Black was able to discover approximately 120 different Ursnif variants that were being hosted from the domains iscondisth[.]com and bevendbrec[.]com,” continue the analysis.
The activity of Ursnif malware was also observed by Cisco Talos that uncovered a second campaign using a different variant.
“The third part executes the base64 decode function created in the first part, with a base64 encoded string as the parameter to the function. The returned decoded PowerShell is subsequently executed by the shorthand Invoke-Expression (iex) function.”
This variant, like others, collects information on the infected systems. The threat stores into a CAB file format and then sends the C2 server over HTTPS connection.
Early December, security experts at
The content of the attachment was a .js file and when it is launched, starts the infection by downloading other components from the Internet.
The whole infection was composed of four stages: the generation of network noise to hide the attacker’s infrastructure, the download of the executable payload, the achievement of
Back to the current campaigns, both analyses include the list of indicators of compromise (IoCs).