According to researchers at McAfee, a new malware campaign is targeting organizations associated with the upcoming 2018 Winter Olympics in Pyeongchang, South Korea.
The attack is being delivered via phishing emails disguised as alerts from country’s National Counter-Terrorism Center, with malicious Word documents attached.
Once opened, the Word document encourages readers to enable content. If they do, that triggers an embedded macro to launch PowerShell.
Why this attack is different: What truly makes this campaign notable is its use of a brand new PowerShell tool called Invoke-PSImage that allows attackers to hide malicious scripts in the pixels of otherwise benign-looking image files, and later execute them directly from memory.
Why that’s dangerous: Not only does hiding the script inside an image file help it evade detection, executing it directly from memory is a fileless technique that generally won’t get picked up by traditional antivirus solutions.
No download necessary: Invoke-PSImage can be used to extract scripts from downloaded images or images hosted on the web. That means an attacker doesn’t necessarily need to download an image onto a machine in order to get a script embedded inside it to run on that machine.
In the case of this particular malware campaign, the image file is downloaded to the victim machine. Once extracted, the embedded script is passed to the Windows command line and executed via PowerShell.
This attack is another troubling example of how attacks are evolving away from using malicious .exe’s.
In the past, we’ve seen many attacks abusing PowerShell follow a tried-and-true pattern:
Spam email with Word attachment > Word attachment with embedded macro > Macro launches PowerShell script > PowerShell script downloads and executes malware .exe payload
In these scenarios, traditional antivirus solutions have a chance of scanning and blocking the attack, but not until the very last step. Once the malware payload has been downloaded onto the device the AV might be able to block it, but only if the malware has been seen before and the AV has a signature it can refer to in order to identify it. In these scenarios, we’ve seen plenty of instances where the AV misses and the infection is successful.
This malware campaign presents an even worse scenario in which the AV doesn’t have that opportunity:
Spam email with Word attachment > Word attachment with embedded macro > Macro launches PowerShell script > PowerShell script extracts 2nd PowerShell script from image and executes it from memory > In-memory executed script gives attacker remote access and control
With no malicious executable file to scan, this attack can easily succeed unless other protections are in place. Here are a few things you can do to reduce your risk of attacks like this:
- Remind employees not to open email attachments from senders they don’t know: They should be especially wary of Word documents that ask them to enable content/macros.
- Enforce stricter macro controls: For starters, consider blocking macros in Office files downloaded from the Internet.
- Disable or restrict PowerShell: If PowerShell isn’t being used for something vital on a machine, disable it. If it is being used for something vital, consider using PowerShell Constrained Language Mode. That will limit PowerShell to its most basic functionality and make many fileless attack techniques unusable.
Cyber-attacks are rapidly getting more sophisticated. GDR Group will help train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now and email firstname.lastname@example.org to request a quote for security awareness training for your organization.