- Aug 17, 2014
- 11,108
Posted on:July 9, 2019, by Ian Mercado and Josefino Fajilago, Author: Trend Micro
Powload gained notoriety as a catalyst for other malware, a prominent example being Emotet, a banking trojan known for its modular capabilities. Powload has since remained a cybercrime staple due to its ability to combine simple infection methods with constantly evolving features — including capabilities intended for evading security technology.
By sifting through six months’ worth of data (Jan-Jun 2019) covering over 50,000 samples from the Trend Micro™ Smart Protection Network™ infrastructure, we managed to gain insight into how Powload has incorporated new techniques to increase its effectiveness, especially in its ability to hide from detection. Here’s what we’ve learned.
Powload in the wild
A typical Powload attack uses social engineering techniques to get the user to click on an email attachment — for example, disguising the email as an invoice document supposedly from a supplier. The Powload samples incidents we’ve observed often use attachments that contain a macro coded with Visual Basic for Attachments (VBA), which, when clicked, activates a hidden PowerShell process to download and execute the malware payload. Most Powload variants will often incorporate obfuscation techniques to avoid hash-based detections.
While PowerShell scripts remain the most common method for downloading and executing the malware, the methods for tricking users into clicking the attachments and for hiding traces of the malware from security software are not always the same. We observed some basic techniques that range from using macro-enabled documents as social engineering lures to using hacking tools for obfuscation.
Continue reading below:
blog.trendmicro.com
Powload gained notoriety as a catalyst for other malware, a prominent example being Emotet, a banking trojan known for its modular capabilities. Powload has since remained a cybercrime staple due to its ability to combine simple infection methods with constantly evolving features — including capabilities intended for evading security technology.
By sifting through six months’ worth of data (Jan-Jun 2019) covering over 50,000 samples from the Trend Micro™ Smart Protection Network™ infrastructure, we managed to gain insight into how Powload has incorporated new techniques to increase its effectiveness, especially in its ability to hide from detection. Here’s what we’ve learned.
Powload in the wild
A typical Powload attack uses social engineering techniques to get the user to click on an email attachment — for example, disguising the email as an invoice document supposedly from a supplier. The Powload samples incidents we’ve observed often use attachments that contain a macro coded with Visual Basic for Attachments (VBA), which, when clicked, activates a hidden PowerShell process to download and execute the malware payload. Most Powload variants will often incorporate obfuscation techniques to avoid hash-based detections.
While PowerShell scripts remain the most common method for downloading and executing the malware, the methods for tricking users into clicking the attachments and for hiding traces of the malware from security software are not always the same. We observed some basic techniques that range from using macro-enabled documents as social engineering lures to using hacking tools for obfuscation.
Continue reading below:
