Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Most External PowerShell Scripts Are Malicious: Symantec

PowerShell, the scripting language and shell framework that is installed by default on most Windows computers, is becoming a favored attack tool for malware infections.

PowerShell, the scripting language and shell framework that is installed by default on most Windows computers, is becoming a favored attack tool for malware infections. In fact, over 95% of scripts using PowerShell were found to be malicious, according to a new report from Symantec.

The flexibility of the framework allows attackers to abuse it to download malicious payloads, perform reconnaissance operations, or traverse across networks. And with 95.4% of the PowerShell scripts that Symantec analyzed being malicious, it’s clear that they represent a major threat to both consumers and businesses (especially when externally sourced PowerShell scripts are involved).

Many of the recently observed targeted attacks have been using PowerShell scripts, including those launched by the Odinaff group, or those orchestrated by the Kovter Trojan’s authors. The use of PowerShell allows for a fileless infection, and the actors behind banking Trojans and other type of threats started to adopt it as well.

The most recent example of a piece of malware that abuses PowerShell is August, threat designed to steal credentials and sensitive files. The threat is distributed via malicious Word documents containing macros that, once enabled, launch a PowerShell command to download and install the final payload.

Symantec researchers say they observed many other instances where Office macros and PowerShell scripts were employed for payload download. In fact, the most prevalent malware families that currently use PowerShell include W97M.Downloader (9.4% of all analyzed samples), Trojan.Kovter (4.5%), and JS.Downloader (4%), the security company notes in a report that focuses specifically on the use of PowerShell in attacks.

The numbers come from the Symantec Blue Coat Malware Analysis sandbox, which saw 49,127 PowerShell scripts submitted this year alone. The security researchers also manually analyzed 4,782 recent distinct samples that represent a total of 111 malware families that abuse the PowerShell command line.

The number of received samples increased sharply in 2016, mainly fueled by an increase in the activity of JS.Downloader and Kovter. In the second quarter of the year, Symantec’s sandbox received 14 times more PowerShell samples compared to the previous quarter, while the third quarter saw a 22-fold increase compared to the second quarter.

Attackers, Symantec says, mostly use their PowerShell scripts post-compromise, to download additional payloads, and they also employ various techniques to ensure the scripts are executed, such as the use of extensions others than .ps1, which is usually being blocked.

Advertisement. Scroll to continue reading.

The researchers also reveal that, of the 10,797 PowerShell script executions observed this year, including benign ones, 55% of the scripts that launched were started through cmd.exe on the command line. When it comes to malicious scripts only, 95% of them are executed through cmd.exe. However, because most macro downloaders are blocked before being executed on the computer, they never reach the point where they would be encountered by Symantec’s behavioral engine.

“However, out of the 111 analyzed threat families that use PowerShell, only eight percent used any obfuscation such as mixed-case letters. None of the analyzed threats randomized the order of the command arguments. The most commonly used PowerShell command-line argument was “NoProfile” (34%), followed by “WindowStyle” (24%), and “ExecutionPolicy” (23%),” Symantec says.

As examples of threats that use PowerShell, Symantec offers the Nemucod downloader that has been associated with the Locky ransomware. However, PowerShell is often associated with Office macros, though researchers say that exploit kits have been experimenting with the framework as well, including RIG, Neutrino, Magnitude, and Sundown.

For lateral movement in a compromised network, attackers abusing PowerShell use methods such as Invoke-Command, Enter-PSSession, WMI/wmic/Invoke-WMImethod, Profile injection, Task Sheduler, and even common tools, such as PsExec. For persistence, PowerShell is abused through storing scripts in the registry (Trojan.Poweliks did so in 2014), by scheduling tasks, by placing the script in the startup folder, by leveraging WMI or Group policies (GPOs), or by infecting local profiles.

Symantec’s report also details the obfuscation methods that cybercriminals use for their PowerShell scripts, while also offering info on some of the most common PowerShell malware, including ransomware, keyloggers, and banking and backdoor Trojans. Additionally, it offers a glimpse of the most prominent attacks that employ the framework, as well as on some dual-use tools.

“With the evidence we have shown of a rising tide of threats leveraging PowerShell, we recommend bolstering defenses by upgrading to the latest version of PowerShell and enabling extended logging features. Additionally, make sure that PowerShell is considered in your attack scenarios and that the corresponding log files are monitored,” Symantec concludes.

Related: PowerShell-Abusing Banking Trojan Goes to Brazil

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.