Documents with malicious macros deliver fileless malware to financial-transaction systems

Attackers are using Word documents with malicious macros and PowerShell to infect computers with fileless malware, researchers warn

Spammed Word documents with malicious macros have become a popular method of infecting computers over the past few months. Attackers are now taking it one step further by using such documents to deliver fileless malware that gets loaded directly in the computer's memory.

Security researchers from Palo Alto Networks analyzed a recent attack campaign that pushed spam emails with malicious Word documents to business email addresses from the U.S., Canada and Europe.

The emails contained the recipients' names as well as specific information about the companies they worked for, which is not typical of widespread spam campaigns. This attention to detail lent more credibility to spam messages and made it more likely that victims would open the attached documents, the researchers said.

The documents contained macros that, if allowed to run, execute a hidden instance of powershell.exe with special command-line arguments. Windows PowerShell is a task automation and configuration management framework that's included in Windows by default and comes with its own scripting language.

The PowerShell command executed in this case was designed to check if the Windows OS was a 32-bit or a 64-bit version and to download an additional PowerShell script that corresponded to the OS architecture.

The rogue script performs a variety of checks on the computer. First it tries to determine if the environment is a virtual machine or sandbox like those used by malware analysts. It then scans the network configuration for strings like school, hospital, college, health and nurse. It also scans the network for other machines with names including teacher, student, schoolboard, pediatrics, orthoped, as well as POS, store, shop and sale. Cached URLs are scanned for a number of financial websites and names like Citrix and XenApp.

According to the Palo Alto researchers, the goal of these checks is to find systems that are used to conduct financial transactions and to avoid systems that belong to security researchers as well as medical and educational institutions.

Only systems that match what the attackers are looking for are flagged and reported back to a command-and-control server. For those systems, the script downloads a malicious encrypted DLL (dynamic link library) file and load it into memory.

"Due to the target-specific details contained within the spam emails and the use of memory-resident malware, this particular campaign should be treated as a high threat," the Palo Alto researchers said in a blog post.

A similar combination of PowerShell and fileless malware was observed last week by researchers from the SANS Institute's Internet Storm Center.

That malware creates a registry key that launches a hidden PowerShell instance at every system start-up. The PowerShell command executes an encoded script that's stored in a separate registry key. Its goal is to decrypt and load an executable file directly into memory without ever writing it to disk.

"By using PowerShell the attackers have been able to put malware that might otherwise be detected on a hard drive into the Windows Registry," senior SANS instructor ​Mark Baggett, said in a blog post.

Storing malicious code in the system registry, abusing the Windows PowerShell and adding malicious macros to documents are not new techniques. However, their combination can make for very potent and hard-to-detect attacks.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?