Microsoft's PowerShell has once again become an attack vector for malware, this time a file-less attack dubbed "Powersniff" by Palo Alto Networks.
The attack arrives through e-mails containing Word documents bearing malicious macros, almost as if it isn't more than 15 years since the first macro viruses were let loose on the world.
Infected files are being distributed in standard spear-phishing attacks.
Once the document is loaded, Powersniff gets to work, either running automatically or – if the user's machine is locked down a bit more tightly – asking permission to run (Palo Alto Networks has concealed the URLs in the example):
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile
The payload then checks whether it's on a VM or in a sandbox, makes a couple of “who's the victim?” checks (schools and hospitals are avoided, while financial institutions are preferred and marked), and cached URLs are checked for “Citrix”, “XenApp” and “dana-na” (the latter a common URL folder in Juniper VPN implementations).
“It would appear as though this malware is attempting to actively avoid healthcare and education machines, as well as target point of sale instances and machines that conduct financial transactions. Similar techniques were witnessed in a malware family named ‘Ursnif’ in mid-2015”, write Palo Alto Networks' Josh Grunzweig and Brandon Levene.
Palo Alto Networks' advice is to turn off automatic macro execution, and naturally enough to buy its products. ®