Connect with us

Hi, what are you looking for?


Malware & Threats

PowerSniff Malware Attacks Abuse Macros, PowerShell

A new piece of malware dubbed “PowerSniff” has been spotted by researchers in semi-targeted attacks aimed at users in the United States and some European countries.

A new piece of malware dubbed “PowerSniff” has been spotted by researchers in semi-targeted attacks aimed at users in the United States and some European countries.

The threat has been found to leverage macros and PowerShell, both of which have been increasingly abused in recent malware attacks.

According to researchers at Palo Alto Networks, PowerSniff is distributed via spam emails containing what appears to be a harmless Microsoft Word document. Experts observed roughly 1,500 spam emails last week, most of which included information associated with the recipient, including names, phone numbers, physical addresses and other company details.

Once the recipient opens the attached document, a malicious macro embedded in the file attempts to invoke the Windows Management Instrumentation (WMI) service, which is used to create a hidden instance of PowerShell, the automation tool used by many system administrators. Since macros are disabled by default in Office to prevent abuse by malware, users might have to explicitly allow the malicious macro to run, unless they changed settings to allow macros to run by default.

PowerShell is then used to download a shellcode script that is placed in a specified location depending if the targeted operating system is running on 32 or 64 bits. The shellcode is designed to decrypt and execute a payload that first checks the infected system for the presence of sandboxes and virtual environments.

The payload then analyzes the system in search for strings indicating that the infected machine is part of a healthcare or education organization. It also checks for strings that could indicate the presence of point-of-sale (PoS) software and applications used to conduct financial transactions. Researchers noted that PowerSniff appears to be specifically targeting devices used for financial transactions, and actively avoiding machines in healthcare and education organizations.

The highest number of infection attempts were detected by Palo Alto Networks in the United States, followed by several countries in Europe and Canada. The campaign doesn’t appear to target specific industries, but most of the malicious emails were received by organizations in the professional services, hospitality, manufacturing, wholesale, energy and high-tech industries.

Once the reconnaissance phase is over, PowerSniff attempts to connect to one of its hardcoded command and control (C&C) addresses. When it analyzed the threat, Palo Alto Networks had not found any responsive C&C servers.

Advertisement. Scroll to continue reading.

One noteworthy feature of PowerSniff is that, similar to the Ursnif family, the malware is injected directly into memory.

“Due to the target-specific details contained within the spam emails and the use of memory-resident malware, this particular campaign should be treated as a high threat,” Palo Alto Networks researchers wrote in a blog post. “As this malware relies on malicious macros within Microsoft Word documents, users should ensure that macros are not enabled by default and should be wary of opening any macros in files received from untrusted sources.”

Related: Macro Malware Dridex, Locky Using Forms to Hide Code

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights