Two separate malware campaigns have been discovered by the security researchers, of which one is distributing the Ursnif data stealing Trojan virus and the other GandCrab ransomware is solely infecting the victims with the Ursnif malware. Though it might seem that the both the malware campaigns are the resultants of the two different groups, yet there are a lot of similarities that are depicting that the work is of a single group. Both the malware attacks emerge from phishing emails that contain an attached Microsoft Word Document that is embedded with the malicious macros that uses the Powershell finally delivering fileless malware.
Ursnif is a data-stealing malware that aims to steal sensitive information from the compromised computers having ability to harvest the banking credentials, collecting keystrokes, browsing the activities, process the system information and ultimately deploy additional backdoors.
The GandCrab is a widely spread ransomware threat that has been discovered in the last year. Unlike all other ransomware available in the market, it encrypts the files located on an infected computer system and forces the victims to pay a ransom via the digital currency to unlock the ransomware. The developers of the ransomware ask for payments through DASH, which makes it difficult to track.
The very first malware campaign that distributed two of the malware threats was discovered by the security researchers at Carbon Black who successfully located around 180 variants of the MS Word documents in the wild targeting users with the malicious VBS macros. Similarly, the second malware campaign was noticed at Cisco Talos that leverages a Microsoft Word document containing the malicious VBA macro for delivering another variant of the same Ursnif malware. Once it is executed on the victim computer, the malware collects the information through the system, puts it into a CAB file format and later sends it to the command-and-control server over the HTTPS secure connection.