PowerSniff Malware Attacks Abuse Macros, PowerShell

A new piece of malware dubbed “PowerSniff” has been spotted by researchers in semi-targeted attacks aimed at users in the United States and some European countries.

The threat has been found to leverage macros and PowerShell, both of which have been increasingly abused in recent malware attacks.

According to researchers at Palo Alto Networks, PowerSniff is distributed via spam emails containing what appears to be a harmless Microsoft Word document. Experts observed roughly 1,500 spam emails last week, most of which included information associated with the recipient, including names, phone numbers, physical addresses and other company details.

Once the recipient opens the attached document, a malicious macro embedded in the file attempts to invoke the Windows Management Instrumentation (WMI) service, which is used to create a hidden instance of PowerShell, the automation tool used by many system administrators. Since macros are disabled by default in Office to prevent abuse by malware, users might have to explicitly allow the malicious macro to run, unless they changed settings to allow macros to run by default.

PowerShell is then used to download a shellcode script that is placed in a specified location depending if the targeted operating system is running on 32 or 64 bits. The shellcode is designed to decrypt and execute a payload that first checks the infected system for the presence of sandboxes and virtual environments.

The payload then analyzes the system in search for strings indicating that the infected machine is part of a healthcare or education organization. It also checks for strings that could indicate the presence of point-of-sale (PoS) software and applications used to conduct financial transactions. Researchers noted that PowerSniff appears to be specifically targeting devices used for financial transactions, and actively avoiding machines in healthcare and education organizations.

The highest number of infection attempts were detected by Palo Alto Networks in the United States, followed by several countries in Europe and Canada. The campaign doesn’t appear to target specific industries, but most of the malicious emails were received by organizations in the professional services, hospitality, manufacturing, wholesale, energy and high-tech industries.

Once the reconnaissance phase is over, PowerSniff attempts to connect to one of its hardcoded command and control (C&C) addresses. When it analyzed the threat, Palo Alto Networks had not found any responsive C&C servers.

One noteworthy feature of PowerSniff is that, similar to the Ursnif family, the malware is injected directly into memory.

“Due to the target-specific details contained within the spam emails and the use of memory-resident malware, this particular campaign should be treated as a high threat,” Palo Alto Networks researchers wrote in a blog post. “As this malware relies on malicious macros within Microsoft Word documents, users should ensure that macros are not enabled by default and should be wary of opening any macros in files received from untrusted sources.”

Related: Macro Malware Dridex, Locky Using Forms to Hide Code