PowerSniff is a malware which is distributed to victims via spam emails with a Microsoft Word Document attachment. It uses some social engineering to convince the victim to click on the attachment. And, on clicking on the Microsoft Word Document attachment, a malicious macro embedded in the file starts executing, which in turn, infect the computer affecting the victim.
How does PowerSniff infect a computer
At first, a victim gets an email with a Microsoft Word Document attachment. Majority of the emails contain specific information about the victim's company like its physical address and phone numbers etc so that the victim gets convinced and the possibility that the victim would click on the attachment increases.
After clicking on the Microsoft Word Document, a malicious macro contained in the file starts executing. A Microsoft Word Document macro is basically a series of commands and instructions that can be grouped together as a single command to accomplish a specific task automatically.
This macro invokes the WMI service which in turn, executes a hidden instance of powershell.exe. It checks whether the system is a 32 bit or a 64 bit machine. And, based on that information, it downloads and executes another malicious file on the system.
The downloaded file is a PowerShell script which contains a shellcode and is subsequently decoded and executed. This shellcode decrypts and executes an embedded payload.
The malware then performs a number of actions to determine a few information, like whether the system is running in a sandbox or virtualized environment and some specific information about the victim. The malware mainly tries to target victims who work in any financial institution or the device is actively used in financial transactions. The malware seems to avoid a machine which is a part of a healthcare or educational organization. And, if the conditions are met the victim's machine is marked as interesting to the attackers.
The following prevention mechanisms can be taken to safeguard a user from falling victim of this malware :
- As this malware relies on Microsoft Word Document macro, please make sure macros are not enabled in Word document by default.
- If you are not very sure of the authenticity of the source, please avoid opening any macros contained in the file.
- And, please avoid clicking on email attachment, if you are not sure about the sender of the email.
So, beware of various security threats so that you can protect your systems in a better way. And, stay safe, stay secured.