Malware is being coded and released into the wild at an alarming rate. People from across the globe are coding this for personal profit, as a contract, or to prove a point (e.g. hacktivism). Usually these have been noted to operate in a narrow way. The traffic to the target is through the email. The user reads the email with an attachment, opens this, and the malware is saved to the hardware. This mode has been repeated across the globe.
Recently there has been a new variant on an older method. This new variant saves the malware into the memory (RAM). This is distant from other currents, but has recycled an older method. A prior example of this attack was the Ursnif malware.
As noted generally the malware is saved to the hard drive. With this in effect, the malware is long-lasting in that when the computer is shut down, the malware is still present when the system is turned on. With this new variant, the malware resides in the RAM. This is not stored on the hard drive of the targeted, infected system. This had been experienced more with drive by malware attacks. While this is unique, it has proven itself to be effective.
Historically, the attackers have not used this in a preponderance of the time. This was a less attractive option as the attack would fail as the user reboots their system, clearing out the RAM, and effectively removing the malware. This does have a benefit in that AV is generally engineered to scan the hard drives and not the RAM.
On a basic level, this is structured as a social engineering attack. This was not part of a spam campaign. Structurally, the person receives an email. This is personalized with the person’s name, address, and other select information. The body of the email indicates there is a pertinent rationale for opening the attachment presently (e.g. the user has to open the attachment urgently!). The email has in the body an attachment of a Word document. Since this is not an .exe file, the person may have a better sense of security and the person believes this is fine. The user then opens the word document. Unbeknownst to the user, this allows the macro in the Word document to execute. The malware is placed in the memory of the system. This was also coded to check if the malware had been placed in a sandbox or virtual environment.
The Palo Alto Networks noted an estimated 1,500 emails were sent with this campaign. As further evidence, the email was specialized for each person. The targets have been in the US and Europe, with a smaller portion of the emails being sent to Canada. This has focussed on the hospitals, manufacturing, energy, and tech industries.
Malware has tended to be used repeatedly and re-surface when users and Admins have forgotten about it. This is a sample of malware that needs to be wary of and place defenses in place and not remove them for convenience. There are a number of defenses for this. These are familiar and have been seen many times before with other instances. These common sense approaches still work well when implemented. The user should not enable macros in the Word documents. If the user is not certain of the sender’s identity or is not expecting an attachment, the attachment should not be opened.
Computer Security. (2016, March 22). PowerSniff malware. Retrieved from http://computersecuritypgp.blogspot.com/2016/03/powersniff-malware.html
Grunzweig, J., & Levene, B. (2016, March 11). PowerSniff malware used in macro-based attacks. Retrieved from http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/
Kovaces, E. (2016, March 15). PowerSniff malware attacks abuse macros, powershell. Retrieved from http://www.securityweek.com/powersniff-malware-attacks-abuse-macros-powershell
Muncaster, P. (2016, March 15). File-less PowerSniff malware spotted in new macro attacks. Retrieved from http://www.infosecurity-magazine.com/news/file-less-powersniff-malware/
Webtitan Admin. (2016, March 18). Fileless malware is being installed using microsoft word macros. Retrieved from http://www.webtitan.com/blog/fileless-malware-word-macros
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!