Share

tweet



Authors of ransomware are implementing new features to make their malware even more dangerous and effective. Ransomware is such a potent threat nowadays that even security researchers are afraid of what could happen if it ever hits their own systems.

The new ransomware is called PowerWare and was discovered a week ago by security researchers at the Carbon Black firm and is being distributed to victims via phishing emails containing Word documents with malicious macros, an increasingly common attack technique. The PowerWare ransomware is written completely in the Windows PowerShell scripting language

PowerShell is a task automation and configuration management framework that’s included in Windows and is commonly used by systems administrators. It has its own powerful scripting language that has been used to create sophisticated malware in the past.

A new ransomware program written in Windows PowerShell is being used in attacks against enterprises, including health care organizations, researchers warn.

PowerWare is not the first ransomware implementation in PowerShell. Security researchers from Sophos found a similar Russian-language ransomware program back in 2013. Then in 2015, they found another one that used the “Los Pollos Hermanos” logo from the Breaking Bad TV show.

While PowerShell-based malware is not new, its use has increased in recent months and it is arguably harder to detect than traditional malware because of PowerShell’s legitimate use and popularity, especially in enterprise environments.

The Carbon Black team found PowerWare when it targeted one of its customers: an unnamed healthcare organization. Multiple hospitals have recently fallen victim to ransomware attacks.

The malicious Word documents masqueraded as an invoice, the Carbon Black researchers said. When opened, it instructed users to enable Word editing and content, claiming that these actions were necessary to view the files.

In reality, enabling editing disables Microsoft Word’s “preview” sandbox and enabling content allows the execution of the embedded macro code, which Office blocks by default.

The most interesting feature implemented in the PowerWare ransomware is that it is fileless. Many malware in the wild are fileless, including one of the variants of the popular Angler Exploit Kit, but this feature is rare for ransomware.

Criminal gangs behind PowerWare are spreading it using spam messages including a Word document attachment purporting to be an invoice. The attackers use an old trick in order to convince victims in enabling the macros, they request to enable macros to correctly view the document.

The macros runs the cmd.exe which launches the PowerShell, the native Windows framework that uses a command-line shell to perform several tasks. In an interesting twist, “PowerWare” authors initially ask for a $500 ransom, which increases to $1,000 after two weeks.

The use of PowerShell allows the ransomware to avoid writing files to the disk and make hard the threat detection. It also allows the ransomware to encrypt files on the victim’s PC.

Fileless ransomware could become rapidly popular in the criminal ecosystem, on March 11, the researchers at Palo Alto Networks, spotted a new malware family called PowerSniff that has many similarities with PowerWare, including the fileless capability.

Ransomware is such a potent threat nowadays that even security researchers are afraid of what could happen if it ever hits their own systems. Ransomware is such a potent threat nowadays that even security researchers are afraid of what could happen if it ever hits their own systems. At the RSA 2016 security conference that took place at the start of the month in San Francisco, security firm Tripwire conducted a survey among 200 security professionals on various topics. Learn More Here

“PowerWare” Observed Behavior

For the “PowerWare” test sample we ran, we opened a “malicious” Word document.

In this example, if the user enables the macros to run, cmd.exe will be spawned to launch a pair of instances of PowerShell: one that downloads the ransomware script and another that starts PowerShell with the script as input.

The process tree is in the command line in the screenshot below:

Below is a snippet of the “PowerWare” script. In the first few lines, it generates some random numbers to be used to compute the key for the encryption, as well as for the UUID assigned to this endpoint. Then, the URL to post the key to is defined, and this information is sent to the attacker controlled host via HTTP – in plain text.

(NOTE: There is good news for those that have a full capture packet solution – you may be able to self-remediate. This malware, when it phones home, does so over a plain-text protocol, making traffic easily observed. From there it’s just a matter of identifying the right domain and IP info from network traffic to retrieve the encryption key. For Carbon Black customers, full details on how to secure your company from this are included below. )

Next, the commands for creating the actual key to be used in the encryption, the initialization vector, and other crypto parameters are in view.

Finally, the script goes through the file system, encrypting every file with a given extension (extensions noted below).

Attackers have also included an HTML file in every folder that had a file encrypted, named FILES_ENCRYPTED-READ_ME.HTML, detailing how an affected user can get their files back.

(You’d better hurry though! The price goes up after a couple of weeks!)

“PowerWare” Detection

Carbon Black Enterprise Protection users can block the initial cmd.exe by Word with a rule that blocks cmd.exe from executing when launched by winword.exe. Covering other Office applications such as: excel.exe, powerpnt.exe, and outlook.exe may be a good idea as well. As always, when creating rules like this, it is recommended to first create them as report rules and watch the console to gauge any potential impacts. Once you’re satisfied that this does not occur legitimately in your environment, you can change the rule action to “Block.”

Consider a similar rule for browsers to block these apps from running PowerShell as well. This should help against other types of malware leveraging Office documents.

For detection, the following Cb Enterprise Response queries should identify this activity as well (and likely other types of malware):

process_name:cmd.exe parent_name:winword.exe chilproc_name:powershell.exe

process_name:powershell.exe filemod_count:[1000 to *]

And while this sample used cmd.exe as an intermediary, you should watch for PowerShell being spawned directly:

process_name:powershell.exe parent_name:winword.exe

And even cmd.exe spawned from office apps for more general detection:

Process_name:cmd.exe AND (parent_name:winword.exe OR parent_name:excel.exe OR parent_name:powerpnt.exe OR parent_name:outlook.exe)

Indicators of Compromise

File Details

Network Details

“PowerWare” Encrypts the Following:

Source: https://www.carbonblack.com/

Security solutions to solve Crypto-Ransomware problem