Summary

The Carbon Black ThreatSight service discovered an ongoing campaign.  This campaign originally came in via phishing emails that contained an attached Word document with embedded macros, Carbon Black located roughly 180 variants in the wild.  The macro would call an encoded PowerShell script and then use a series of techniques to download and execute both a Ursnif and GandCrab variants.

The technical details of this campaign can be located in the external blog post.