PowerWare uses Microsoft Word and PowerShell to infect users

US-based security firm, Carbon Black has discovered new ransomware variant known as PowerWare. The ransomware discovered a week ago targeted...

US-based security firm, Carbon Black has discovered new ransomware variant known as PowerWare.
The ransomware discovered a week ago targeted a company in the healthcare industry.
As with all ransomware families identified this week, this one has a kink of its own and its mode of operation has never been seen before in other ransomware strains.
PowerWare is different from other crypto-ransomware samples because it is fileless, which is a tactic adopted by other malware families pushed in prolific exploit kits such as Angler.
The PowerWare ransomware is written completely in the Windows PowerShell scripting language. It uses a combination of Word files, macro scripts, and PowerShell scripting language to infect victims with its deadly payload.
PowerShell is a task automation and configuration management framework that's included in Windows and is commonly used by systems administrators. It has its own powerful scripting language that has been used to create sophisticated malware in the past.
In spite of its innovative methods, the ransomware still relies on old-school infection tactics that starts with spam email arriving in the victim's inbox. Emails contain Word documents with malicious macros which is an increasingly common attack technique.
Once enabled, the macro opens cmd.exe, which then calls PowerShell, a native Windows framework that uses a command-line shell to manage tasks, to download a malicious script. The use of PowerShell avoids writing files to the disk and allows the malware to blend in with legitimate activity on the computer.
PowerWare uses PowerShell to ultimately encrypt files stored on the machine once it’s compromised.
Once everything is encrypted, the ransom note is displayed on the victim’s screen asking them for $500 bitcoin in exchange for the encryption key; the ransom, however, goes up to $1,000 two weeks after infection.
The use of macros to push malware, meanwhile, has enjoyed resurgence in the last six months, not only with ransomware, but also banking malware such as Dridex. Macros, however, are disabled by default on Windows machines.
As for PowerSniff, discovered by Palo Alto, it uses macros to initiate a PowerShell instance which then downloads shellcode that writes the Ursnif point-of-sale malware directly into memory.
Both companies have published indicators of compromise for the respective malware families.
Multiple hospitals have recently fallen victim to ransomware attacks.
Attackers are not through testing the limits of what they can do with new features in ransomware samples.

Post a Comment Default Comments Disqus Comments

  1. Hello Everybody,

    Below are the most recommended BTC exchange services (BTC for Currency):
    Coinbase: $1 minimum trade

    Earn free Bitcoins with the best bitcoin faucet rotator:
    BTC Faucet Rotator



Weather Today!

Read More News

Random Article

Hot in week

Popular Posts