Palo Alto Networks has discovered a new spam email campaign that is being used to spread fileless malware via malicious Microsoft Word macros sent as email attachments.

What is Fileless Malware?

Fileless malware, or memory-resident malware, is most commonly associated with drive-by malware attacks via malicious websites. The malware resides in the RAM and is never installed on the hard drive of an infected machine, which means it is difficult to detect because anti-virus software does not check the memory.

Memory-resident malware has not been favored by attackers until recently, as infections do not survive a reboot. However, some fileless malware such as Poweliks uses the registry to ensure persistence. Memory-resident malware is often used to spy on computer activity and record keystrokes.

PowerSniff Fileless Malware Rated as High Threat

The spam email campaign discovered by Palo Alto uses Microsoft Word macros to install the malware. When infected Word documents are opened, malicious macros execute PowerShell scripts and fileless malware is injected into the memory. In the latest case, the malware bears some resemblance to Ursnif malware. Palo Alto call the latest variant PowerSniff.

To date, over 1500 spam emails have been observed by Palo Alto. The emails are not sent out using mass spam email campaigns, but appear to be targeted and include data highly specific to the target. The emails contain the users first name for instance, along with an address or telephone number to make the target believe the email is genuine.

The subject lines and file names used in the emails differ from individual to individual. All of the emails contain an infected Word file along with some pressing reason for the individual to open the document. This can include invoices that urgently need to be paid, details of payments that have not gone through, gift vouchers that needs to be claimed, or reservations that must be confirmed.

The attacks are primarily being conducted on targets in the United States and Europe. The targets are mostly in the professional, hospitality, manufacturing, wholesale, energy, and high tech industry sectors.

The malware is capable of checking if is in a sandbox or virtualized environment, and performs reconnaissance on the victim host. According to Palo Alto researchers, the malware is sniffing out machines that are used for financial transactions, searching for strings such as POS, SALE, SHOP, and STORE. The malware actively avoids machines that are used in the healthcare and education sectors, searching for strings such as nurse, health, hospital, school, student, teacher, and schoolboard and marking these as being of no interest.

Palo Alto has rated the malware a high threat, with activity widespread in the past week. To protect against this type of attack, and others using malicious Word macros, it is essential that macros are automatically disabled in Microsoft Word. Users should deny any request to run macros if they accidentally open an email attachment.