PowerWare was brought to my attention by Carbon Black via their blog
post. PowerWare is downloaded by a malicious macro-enabled Microsoft
Word document that is distributed via a phishing email campaign. The
malicious document in question attempts to convince the user to enable
macros by informing them that the file is protected by Microsoft Office.
This, of course, is a farce. Once the macro is enabled, the PowerWare
payload will be downloaded and executed. PowerWare, unfortunately, is
hitting healthcare providers.
Using olevba.py from oletools, we can extract the macro from the
aforementioned document for analysis.
PowerWare based on PoshCoder
Upon examination of the PowerShell file that was downloaded, you may
notice that the programming logic looks familiar. PowerWare seems to be
heavily based on PoshCoder, the ransomware that rose to infamy due to
the fact it destroyed encrypted data using a logic based programming
flaw. The programming style and flow is similar enough that some may
even argue that it's a variant of PoshCoder and not a totally new
PowerShell ransomware family. The following are some of their major