PowerShell security threats greater than ever, researchers warn

PowerShell scripts used to attack businesses

While many system administrators use PowerShell scripts for daily management tasks, researchers have seen attackers increasingly using the framework for their campaigns.

Many recent targeted attacks have used PowerShell scripts, according to Symantec.

PowerShell scripts used to attack businesses

While many system administrators use PowerShell scripts for daily management tasks, researchers have seen attackers increasingly using the framework for their campaigns.

Many recent targeted attacks have used PowerShell scripts, according to Symantec. “The Odinaff group used malicious PowerShell scripts when it attacked financial organisations worldwide,” said Wueest.

“Common cyber criminals are leveraging PowerShell as well, such as the attackers behind Trojan.Kotver, who use the scripting language to create a fileless infection completely contained in the registry,” he said.

Malicious PowerShell scripts are mainly used as downloaders, said Wueest, such as Office macros, and during the lateral movement phase, where a threat executes code on a remote computer when spreading inside the network.

The most prevalent malware families that currently use PowerShell are W97M.Downloader, Trojan.Kotver and JS.Downloader.

Over the past six months, Symantec said it has blocked an average of 466,028 emails with malicious JavaScript per day.

“Not all malicious JavaScript files use PowerShell to download files, but we have seen a steady increase in the framework’s usage,” said Wueest.

“Some of the newest downloader attacks using PowerShell work through multiple stages, where the attached script downloads another script, which in turn downloads the payload. Attackers use this convoluted infection method in an attempt to bypass security protections,” he said.

Apart from downloading payloads, malicious PowerShell scripts have been used to perform various tasks, such as uninstalling security products, detecting sandboxed environments or sniffing the network for passwords.

The flexibility of the PowerShell language allows scripts to be obfuscated in multiple ways, such as command shortcuts, escape characters or encoding functions, the researchers have found.

Symantec expects more PowerShell threats to appear in the future. “We strongly recommend system administrators to upgrade to the latest version of PowerShell and enable extended logging and monitoring capabilities,” said Wueest.

Leave a Reply

Your email address will not be published. Required fields are marked *