Security researchers have discovered two separate malware campaigns. One is distributing the data-stealing trojan and theransomware in the wild, whereas the second is only infecting victims with Ursnif malware. Both attacks start from phishing emails containing an attached Microsoft Word document embedded with malicious macros and then uses Powershell to deliver fileless malware. Once executed, the malware collects information from the system, puts into a CAB file format, sends it to its command-and-control server over HTTPS secure connection.
Source: https://thehackernews.com/2019/01/microsoft-gandcrab-ursnif.html