Ursnif and Grandcrab spreading through Microsoft Word and PowerShell commands


There is a new wave of viruses that are getting unleashed in our environment. Ursnif is a Trojan that executes itself in the PowerShell and file less activation due to which it can’t be detected that easily. Urnsif has another alias as well-known as Dreambot.

Dreambot has been around for some time now. It was mostly used for stealing financial credentials and email addresses from internet browsers. It can also be used to deploy other malwares. The function of phishing plays an important role in Ursnif.

Spam mails that carry word documents consist of malware macro scripts. The macros include junk code and an executable encoded PowerShell command that is stored in an alternate text file.

The Carbon Black   organization has observed that from the previous month that a spam campaign is in process that is distributing Ursnif, and afterwards installs a ransomware virus called Grandcrab. The ransomware is sold in the underground world or you could say on the dark web as a service. The makers of Grandcrab let the black hat hackers use it where they benefit from it. But with time solution for Grancrab are being taken out. But with Ursnif a newer version is being used.

Attack overview given by Carbon Black

What the Urnsif Trojan does is that the PowerShell script which is encoded in 64bit downloads a malware from a (C&C) command and control server which directly executes it to the memory. Then the second payload downloads another file in a complete raw form that is from pastebin.com and inputs it in the PowerShell process. Then another payload is inserted that is Grandcrab which is a newer version.

Cisco Talos

Cyber security researchers Cisco Talos reported another event that has taken place that Ursnif activity and have shared a report the chain of the malware. The document states that Ursnif doesn’t only deploy the malware directly to the system memory but also remains persistent even after a reboot and doesn’t contain any files. It does so via storing an encoded PowerShell command in a registry and later using it by the Windows Management Instrumentation Command-line.  The data is stored in a CAB file format it is sent to the C&C through a HTTPS connection.

Talos researchers stated “Ursnif is a fan of ‘file less’ persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic,” “Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop.”

The Talos team has given certain parameters through which the Trojan can enter a system or the pathway that is used to get into the system are the URLS, file hashes and even the file names have been provided that have already infected certain computers and that users are aware of the malware and avoid it before it infects your system.


Please enter your comment!
Please enter your name here