Carbon Black researchers have uncovered a sophisticated malware campaign involving the infamous Ursnif Trojan, also known as Dreambot, and the popular GandCrab ransomware. In the first stage of the campaign, threat actors distribute spam emails containing Microsoft Word documents that have been corrupted with malicious macro scripts.
The macros inside the Word document can activate PowerShell on targeted devices and instruct it to download Ursnif as well as the latest version of GandCrab. This use of macros and PowerShell scripting is in line with a growing trend of fileless or living-off-the-land attacks in which machines are compromised through malicious code that runs in memory by taking advantage of tools on the target system.