Security researchers are warning of a new high threat spam campaign using the file-less PowerSniff malware in macro-based attacks.
Palo Alto Networks’ Josh Grunzweig and Brandon Levene claimed they’d spotted around 1,500 emails sent over the past week in a targeted campaign containing specific information about the victim’s company – including relevant phone numbers, addresses and their names.
This is all designed to socially engineer the recipient into trusting the sender enough to open the attachment.
If the Word doc is opened the victim will be presented with a malicious macro inside the file, which will try to execute when the document is opened.
The downloaded file is a PowerShell script containing shellcode, which is decoded and executed and then executes an embedded payload, which performs various checks and reconnaissance.
If one of the victims works at a financial institution it will be flagged as an interesting target. The malware will also be looking to actively avoid POS environments – indicating a retail set up – or education and healthcare organizations.
This is similar behaviour to that observed with the Ursnif malware family in mid-2015, the blog authors claimed.
File-less malware like Powersniff is not new per se, but it poses a big threat to firms given that it can compromise systems while leaving virtually no trace of its presence for traditional forensic tools.
“Due to the target-specific details contained within the spam emails and the use of memory-resident malware, this particular campaign should be treated as a high threat,” concluded Grunzweig and Levene.
“As this malware relies on malicious macros within Microsoft Word documents, users should ensure that macros are not enabled by default and should be wary of opening any macros in files received from untrusted sources.”
Alongside ransomware, macro-based attacks have flourished over the past year.
The volume of macro threats rose from fewer than 10,000 new attacks in Q3 2014 to almost 45,000 a year later, according to Intel Security.
The security giant also captured 74,471 samples of file-less attacks in the first three quarters of 2015.