Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network, and carry out reconnaissance. Symantec analyzed PowerShell malware samples to find out how much of a danger they posed.
Of all of the PowerShell scripts analyzed through the BlueCoat Malware Analysis sandbox, 95.4 percent were malicious. This shows that externally sourced PowerShell scripts are a major threat to enterprises.
Microsoft PowerShell is a powerful scripting language and shell framework primarily used on Windows computers. It has been around for more than 10 years and will replace the default command prompt on Windows in the future. While many system administrators use PowerShell scripts for daily management tasks, we have seen attackers increasingly using the framework for their campaigns.
Many recent targeted attacks have used PowerShell scripts. For example, the Odinaff group used malicious PowerShell scripts when it attacked financial organizations worldwide. Common cybercriminals are leveraging PowerShell as well, such as the attackers behind Trojan.Kotver, who use the scripting language to create a fileless infection completely contained in the registry.
PowerShell is installed by default on most Windows computers, and most organizations do not have extended logging enabled for the framework. These two factors make PowerShell a favored attack tool. Furthermore, scripts can easily be obfuscated and allow for payloads to be executed directly from memory.
“We have predominantly seen malicious PowerShell scripts used as downloaders, such as Office macros, and during the lateral movement phase, where a threat executes code on a remote computer when spreading inside the network,” said Symantec in a press statement.
The most prevalent malware families that currently use PowerShell are:
- W97M.Downloader (9.4 percent of all analyzed samples)
- Trojan.Kotver (4.5 percent)
- JS.Downloader (4.0 percent)
Some of the newest downloader attacks using PowerShell work through multiple stages, where the attached script downloads another script, which in turn downloads the payload. Attackers use this convoluted infection method in an attempt to bypass security protections.
Apart from downloading payloads, malicious PowerShell scripts have been used to perform various tasks such as uninstalling security products, detecting sandboxed environments, or sniffing the network for passwords. The flexibility of the PowerShell language allows scripts to be obfuscated in multiple ways, such as command shortcuts, escape characters, or encoding functions.
For example, the following is a simple script that downloads and executes a remote file:
We have seen attackers use basic obfuscation to transform the same command into the following:
However, out of the 111 analyzed threat families that use PowerShell, only eight percent used any obfuscation such as mixed-case letters. None of the analyzed threats randomized the order of the command arguments. The most commonly used PowerShell command-line argument was “NoProfile” (34 percent), followed by “WindowStyle” (24 percent), and “ExecutionPolicy” (23 percent).
“Symantec expects more PowerShell threats to appear in the future. We strongly recommend system administrators to upgrade to the latest version of PowerShell and enable extended logging and monitoring capabilities,” said the company.