From Fileless Techniques to Using Steganography: Examining Powload's Evolution | Cell Phone Spy and Mobile Tracking Software
By: Augusto Remillano and Kiyoshi Obuchi (Threats Analysts) Powload's staying power in the threat landscape shows how far it has come. In fact, the uptick of macro malware in the first half of 2018 was due to Powload, which was distributed via spam emails. Powload was also one of the most pervasive threats in the North American region in 2018, using various techniques to deliver payloads such as the information-stealing Emotet, Bebloh, and Ursnif. Our Powload detections and the number of related cases/incidents and unique samples we analyzed in 2018 also markedly increased compared to 2017. Powload's evolving techniques, on the other hand, show how far it'll go. While its use of spam email as a distribution method could be its constant, it has employed different ways of delivering payloads, from bypassing mitigations like a document's preview mode to using fileless techniques and hijacking email accounts. Figure 1. Detections for Powload based on data from Trend MicroSmart Protection