PowerShell, the scripting language and shell framework that is installed by default on most Windows computers, is becoming a favored attack tool for malware infections. In fact, over 95% of scripts using PowerShell were found to be malicious, according to a new report from Symantec.
The flexibility of the framework allows attackers to abuse it to download malicious payloads, perform reconnaissance operations, or traverse across networks. And with 95.4% of the PowerShell scripts that Symantec analyzed being malicious, it’s clear that they represent a major threat to both consumers and businesses (especially when externally sourced PowerShell scripts are involved).
Many of the recently observed targeted attacks have been using PowerShell scripts, including those launched by the Odinaff group, or those orchestrated by the Kovter Trojan’s authors. The use of PowerShell allows for a fileless infection, and the actors behind banking Trojans and other type of threats started to adopt it as well.
The most recent example of a piece of malware that abuses PowerShell is August, threat designed to steal credentials and sensitive files. The threat is distributed via malicious Word documents containing macros that, once enabled, launch a PowerShell command to download and install the final payload.
Symantec researchers say they observed many other instances where Office macros and PowerShell scripts were employed for payload download. In fact, the most prevalent malware families that currently use PowerShell include W97M.Downloader (9.4% of all analyzed samples), Trojan.Kovter (4.5%), and JS.Downloader (4%), the security company notes in a report that focuses specifically on the use of PowerShell in attacks.
The numbers come from the Symantec Blue Coat Malware Analysis sandbox, which saw 49,127 PowerShell scripts submitted this year alone. The security researchers also manually analyzed 4,782 recent distinct samples that represent a total of 111 malware families that abuse the PowerShell command line.
The number of received samples increased sharply in 2016, mainly fueled by an increase in the activity of JS.Downloader and Kovter. In the second quarter of the year, Symantec’s sandbox received 14 times more PowerShell samples compared to the previous quarter, while the third quarter saw a 22-fold increase compared to the second quarter.
Attackers, Symantec says, mostly use their PowerShell scripts post-compromise, to download additional payloads, and they also employ various techniques to ensure the scripts are executed, such as the use of extensions others than .ps1, which is usually being blocked.
The researchers also reveal that, of the 10,797 PowerShell script executions observed this year, including benign ones, 55% of the scripts that launched were started through cmd.exe on the command line. When it comes to malicious scripts only, 95% of them are executed through cmd.exe. However, because most macro downloaders are blocked before being executed on the computer, they never reach the point where they would be encountered by Symantec’s behavioral engine.
“However, out of the 111 analyzed threat families that use PowerShell, only eight percent used any obfuscation such as mixed-case letters. None of the analyzed threats randomized the order of the command arguments. The most commonly used PowerShell command-line argument was “NoProfile” (34%), followed by “WindowStyle” (24%), and “ExecutionPolicy” (23%),” Symantec says.
As examples of threats that use PowerShell, Symantec offers the Nemucod downloader that has been associated with the Locky ransomware. However, PowerShell is often associated with Office macros, though researchers say that exploit kits have been experimenting with the framework as well, including RIG, Neutrino, Magnitude, and Sundown.
For lateral movement in a compromised network, attackers abusing PowerShell use methods such as Invoke-Command, Enter-PSSession, WMI/wmic/Invoke-WMImethod, Profile injection, Task Sheduler, and even common tools, such as PsExec. For persistence, PowerShell is abused through storing scripts in the registry (Trojan.Poweliks did so in 2014), by scheduling tasks, by placing the script in the startup folder, by leveraging WMI or Group policies (GPOs), or by infecting local profiles.
Symantec’s report also details the obfuscation methods that cybercriminals use for their PowerShell scripts, while also offering info on some of the most common PowerShell malware, including ransomware, keyloggers, and banking and backdoor Trojans. Additionally, it offers a glimpse of the most prominent attacks that employ the framework, as well as on some dual-use tools.
“With the evidence we have shown of a rising tide of threats leveraging PowerShell, we recommend bolstering defenses by upgrading to the latest version of PowerShell and enabling extended logging features. Additionally, make sure that PowerShell is considered in your attack scenarios and that the corresponding log files are monitored,” Symantec concludes.