Connect with us

Hi, what are you looking for?


Malware & Threats

PowerSniff Malware Attacks Abuse Macros, PowerShell

A new piece of malware dubbed “PowerSniff” has been spotted by researchers in semi-targeted attacks aimed at users in the United States and some European countries.

A new piece of malware dubbed “PowerSniff” has been spotted by researchers in semi-targeted attacks aimed at users in the United States and some European countries.

The threat has been found to leverage macros and PowerShell, both of which have been increasingly abused in recent malware attacks.

According to researchers at Palo Alto Networks, PowerSniff is distributed via spam emails containing what appears to be a harmless Microsoft Word document. Experts observed roughly 1,500 spam emails last week, most of which included information associated with the recipient, including names, phone numbers, physical addresses and other company details.

Once the recipient opens the attached document, a malicious macro embedded in the file attempts to invoke the Windows Management Instrumentation (WMI) service, which is used to create a hidden instance of PowerShell, the automation tool used by many system administrators. Since macros are disabled by default in Office to prevent abuse by malware, users might have to explicitly allow the malicious macro to run, unless they changed settings to allow macros to run by default.

PowerShell is then used to download a shellcode script that is placed in a specified location depending if the targeted operating system is running on 32 or 64 bits. The shellcode is designed to decrypt and execute a payload that first checks the infected system for the presence of sandboxes and virtual environments.

The payload then analyzes the system in search for strings indicating that the infected machine is part of a healthcare or education organization. It also checks for strings that could indicate the presence of point-of-sale (PoS) software and applications used to conduct financial transactions. Researchers noted that PowerSniff appears to be specifically targeting devices used for financial transactions, and actively avoiding machines in healthcare and education organizations.

The highest number of infection attempts were detected by Palo Alto Networks in the United States, followed by several countries in Europe and Canada. The campaign doesn’t appear to target specific industries, but most of the malicious emails were received by organizations in the professional services, hospitality, manufacturing, wholesale, energy and high-tech industries.

Advertisement. Scroll to continue reading.

Once the reconnaissance phase is over, PowerSniff attempts to connect to one of its hardcoded command and control (C&C) addresses. When it analyzed the threat, Palo Alto Networks had not found any responsive C&C servers.

One noteworthy feature of PowerSniff is that, similar to the Ursnif family, the malware is injected directly into memory.

“Due to the target-specific details contained within the spam emails and the use of memory-resident malware, this particular campaign should be treated as a high threat,” Palo Alto Networks researchers wrote in a blog post. “As this malware relies on malicious macros within Microsoft Word documents, users should ensure that macros are not enabled by default and should be wary of opening any macros in files received from untrusted sources.”

Related: Macro Malware Dridex, Locky Using Forms to Hide Code

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.