Ursnif and GandCrab campaign with the macro-enabled documents

The two types of macro-enabled documents with PowerShell downloader spreading via emails in malicious campaign have been presented in the first part of the analysis. The PowerShell downloaders and/or the macros are slightly obfuscated, however, it is easy to defeat this obfuscation and reveal their purpose. The analysis also summarized the information and relationships between malware samples and domains related to this campaign and brought the summary of collected IOCs.

While the most of the contacted URLs in the Ursnif campaign from February 2019 have been cleaned (or, at least, haven’t provided any malicious content during our analysis and during publicly available analysis on various sandboxes), at least in one case one URL was active. This one URL came from the PowerShell downloader with two options/methods for downloading and executing the malicious content. Probably the one method has been used for downloading the Ursnif malware and second leads to the infection with GandCrab ransomware: the PowerShell downloader included in the VBA macro have downloaded the 2nd stage downloader, which uses the PowerSploit Reflective Injection for injecting the GandCrab DLL into its process. This case have been covered in the 2nd part of the analysis.

 The GandCrab ransomware v5.1 contains obfuscated and RC4-encrypted strings and text messages, and because there was no available analytical tool for deobfuscating these strings (only for much older version of GandCrab), we decided to create our own tool as IDC script for IDA Disassembler. This IDC script was further adjusted to works also with GandCrab v5.2 and v5.3. Developed script and also the list of decrypted strings are provided.