Documents with malicious macros deliver fileless malware to financial-transaction systems
“The rogue script performs a variety of checks on the computer. First it tries to determine if the environment is a virtual machine or sandbox like those used by malware analysts. It then scans the network configuration for strings like school, hospital, college, health and nurse. It also scans the network for other machines with names including teacher, student, schoolboard, pediatrics, orthoped, as well as POS, store, shop and sale. Cached URLs are scanned for a number of financial websites and names like Citrix and XenApp.
According to the Palo Alto researchers, the goal of these checks is to find systems that are used to conduct financial transactions and to avoid systems that belong to security researchers as well as medical and educational institutions.