Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware.
Though both malware campaigns appear to be a work of two separate cybercriminal groups, we find many similarities in them. Both attacks start from phishing emails containing an attached Microsoft Word document embedded with malicious macros and then uses Powershell to deliver fileless malware.
Ursnif is a data-stealing malware that typically steals sensitive information from compromised computers with an ability to harvest banking credentials, browsing activities, collect keystrokes, system and process information, and deploy additional backdoors.
Discovered earlier last year, GandCrab is a widespread ransomware threat that, like every other ransomware in the market, encrypts files on an infected system and insists victims to pay a ransom in digital currency to unlock them. Its developers ask payments primarily in DASH, which is more complex to track.
MS Docs + VBS macros = Ursnif and GandCrab Infection
The first malware campaign distributing two malware threats was discovered by security researchers at Carbon Black who located approximately 180 variants of MS Word documents in the wild that target users with malicious VBS macros.
If successfully executed, the malicious VBS macro runs a PowerShell script, which then uses a series of techniques to download and execute both Ursnif and GandCrab on the targeted systems.
by Matthew Field
February 20, 2018
The UK’s top cyber security agency has reaffirmed its commitment to working with Chinese smartphone giant Huawei after US spy chiefs accused the company of presenting a national security risk.
The Government and the National Cyber Security Centre (NCSC) will “continue to benefit” from collaboration with Huawei, according to an NCSC spokesman. It comes despite US government employees potentially being banned from using the Chinese company’s smartphones due to security fears.
In the UK, Huawei operates a cybersecurity centre alongside members of GCHQ. Known as “The Cell”, it is set up to monitor threats and backdoors in the company’s own hardware. It is staffed by Huawei researchers overseen by the NCSC.
Last week, US intelligence chiefs from the Federal Bureau of Intelligence (FBI), Central Intelligence Agency and National Security Agency repeatedly warned against Huawei’s phones and recommended US consumers should avoid them.
“We’re deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks,” FBI Director Chris Wray said.
The UK’s relationship with Huawei has taken a different path than its ally, however. Rather than blocking the company, UK spies from GCHQ work closely with the Chinese company.
“Huawei is a globally important company whose presence in the UK reflects our reputation as a global hub for technology, innovation and design,” an NCSC spokesman said.
“This government and British telecoms operators work with Huawei at home and abroad to ensure the UK can continue to benefit from new technology while managing cyber security risks.”