Fileless Phishing Attack Infects Windows Systems
Researchers at Palo Alto Networks have uncovered a Word doc phishing scheme that downloads its payload directly to memory. The attack targets Windows systems that use PowerShell, which is almost all recent Windows alternatives.
The so-called PowerSniff attack arrives in an email message that contains unusually detailed information about the user, thus gaining the reader's confidence through knowledge of facts such as the company name, phone number, address, etc. If the user opens the attached document, the document downloads a hidden script that resides in memory, thus leaving no footprint in the filesystem. The hidden script performs a number of reconnaissance checks, including checking to see if the system is running in a sandbox, as well as investigating other computers on the network to determine if any are used for medical information or financial transactions.
According to the alert posted by Palo Alto’s Josh Grunzweig and Brandon Levene, all users who have PowerShell-ready systems should ensure that macros are not enabled by default and should “be wary of opening any macros received from untrusted sources.”