A new file-less malware has been spotted to send out approximately 2000 spam e-mails per week to users. The malware does not have any files, but instead it spreads via infected Microsoft Office macros. All users who have been affected by this malware should immediately take action towards blocking the active connection and removing this cyber-threat from their computer via anti-malware software.
|Short Description||Steals financial data from the infected PoS system.|
|Symptoms||Slow PC, PowerShell or CMD run briefly and close. Creates a temporary dll file in %AppDataa%.|
|Distribution Method||Via malicious macros in Microsoft Office documents.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by PowerSniff|
|User Experience||Join our forum to discuss PowerSniff.|
PowerSniff – Methods of Distribution
The primary method of distribution of this PoS threat is via spam email messages, containing infected Microsoft Word, Excel, PowerPoint or other documents with infected macros. Here is an example of how a spam email sent out may appear like.
The sniffer-like malware is also reported to be spread primarily across the United States, but infections can also be seen in Canada and all over Europe as well.
PowerSniff In Detail
Once activated, the ransomware sends out system information to infect the user PC. After its macro has been enabled, similar to a network sniffer, the malware immediately sends system information to a remote host. Such information may include:
- Windows version and architecture. (32 bit vs. 64 bit).
- Computer’s antivirus software.
- Firewall protection.
- IP address.
Researchers at GrahamCluley report that after infecting the user PC, PowerSniff runs a concealed Power Shell window and executes an administrative command:
→ powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden –noprofile
Not only this, but the ransomware also begins to tamper with the Windows Registry Editor modifying it so that it creates a temporary DLL file in the %AppData% folder.
After the infection itself has been conducted, the malware has a clever selection process by which it looks for any PoS operation on the infected PC to collect credentials from them. This happens by looking for words such as “Point-Of-Sale”, “Sale” and others.
Not only this, but it also excludes any hospitals and medical centers from its hit list. This means that it excludes words such as “Hospital,” and others. These all point out to the ethics and cleverness of its developers.
Remove PowerSniff PoS Malware and Prevent It in the Future
If you believe you have become a victim of this threat it is essential to immediately transfer the funds and change the financial credentials of the PoS system and also on other systems in the network. To remove the malware, we advise using an advanced anti-malware software and following the step-by-step manual below, if the PoS system is working via Windows OS.
After the removal of this malware make sure you follow the mentioned herein safety tips. They will make sure your organization is significantly more protected than any other threats of such type in the future.