An ongoing spam campaign is serving up malicious macro documents that execute PowerShell scripts and inject malware directly into memory of the victim’s computer.
Josh Grunzweig and Brandon Levene, threat researchers at Palo Alto Networks, explain in a blog post that the malware, which they have dubbed “PowerSniff,” arrives in a user’s inbox as a malicious Word document attached to a spear phishing email targeting the victim’s company.
If the attachment is launched, a malicious macro will attempt to execute as soon as the document opens, or it will prompt the user to enable macros before proceeding.
Successful execution paves the road for the macro to open a secret instance of powershell.exe that contains the following arguments (with URLs removed):
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden –noprofile
Once it has figured out whether it is running on a 32- or 64-bit instance of Microsoft Windows, the malware downloads a PowerShell script that contains a shellcode.
Once executed, that shellcode decrypts itself and in turn executes its malware payload.
At this point in time, the malware performs a series of actions to gather more information about the machine on which it is running. For instance, it scans for usernames like “MALWARE” and “VIRUS” as well as a number of libraries to determine whether it is running in a virtualized environment or sandbox.
This is clearly an attempt to avoid analysis by anti-virus researchers.
PowerSniff also checks for the absence of the strings “TEACHER,” “STUDENT,” “SCHOOLBOARD,” “PEDIATRICS,” and “ORTHOPED” but actively looks for the presence of “POS,” “STORE,” “SHOP,” and “SALE.”
Grunzweig and Levene have shared their theories as to why the malware behaves in this way:
“As a summary to these checks, it would appear as though this malware is attempting to actively avoid healthcare and education machines, as well as target point of sale instances and machines that conduct financial transactions. Similar techniques were witnessed in a malware family named ‘Ursnif’ in mid-2015.”
The malware ultimately relays information it has gathered back to one of its command and control (C&C) servers. If the target machine is deemed to be of some interest, the server responds with a DLL that is temporarily written to the disk at %%userprofile%%\\AppData\\LocalLow\\[random].db and which is then executed using a call to rundll32.exe.
Currently, the vast majority of users affected by PowerSniff and this spam campaign are based in the United States. However, this threat campaign could feasibly expand to other locations around the world.
With that in mind, it is important that network defenders familiarize themselves with how attackers can write malware directly to the Windows Registry while bypassing the hard drive.
As for ordinary users, it’s a good idea to be wary of opening unsolicited attachments, keep macros disabled, and to be suspicious of any document from an unknown sender that tries to convince you to enable the execution of macros.