Administrators should upgrade to the latest version of Microsoft PowerShell and enable extended logging and monitoring capabilities in the light of a surge in related security threats, warn researchers.
Microsoft’s Windows PowerShell configuration management framework continues to be abused by cyber attackers, according to researchers, who have seen a surge in associated threats.
In March 2016, security experts warned that PowerShell had been fully weaponised. In the following month, a report confirmed that PowerShell was used to launch 38% of cyber attacks seen by security firm Carbon Black and its partners in 2015.
Now more than 95% of PowerShellscripts analysed by Symantec researchers have been found to be malicious, with 111 threat families using PowerShell.
Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network and carry out reconnaissance, according to Candid Wueest, threat researcher at Symantec.
“This shows that externally sourced PowerShell scripts are a major threat to enterprises,” he wrote in a blog post.
The researchers also found that many targeted attack groups use PowerShell in their attack chain because it provides easy access to all major functions of the Microsoft Windows operating system.
PowerShell is also attractive to attackers because it is installed by default on computers running Windows and leaves few traces for analysis. This is because the framework can execute payloads directly from memory.
Abuse of PowerShell is often made easier because most organisations do not enable monitoring and extended logging on their computers, making PowerShell threats harder to detect.
While many system administrators use PowerShell scripts for daily management tasks, researchers have seen attackers increasingly using the framework for their campaigns.
Many recent targeted attacks have used PowerShell scripts, according to Symantec. “The Odinaff group used malicious PowerShell scripts when it attacked financial organisations worldwide,” said Wueest.
“Common cyber criminals are leveraging PowerShell as well, such as the attackers behind Trojan.Kotver, who use the scripting language to create a fileless infection completely contained in the registry,” he said.
Malicious PowerShell scripts are mainly used as downloaders, said Wueest, such as Office macros, and during the lateral movement phase, where a threat executes code on a remote computer when spreading inside the network.
The most prevalent malware families that currently use PowerShell are W97M.Downloader, Trojan.Kotver and JS.Downloader.
“Some of the newest downloader attacks using PowerShell work through multiple stages, where the attached script downloads another script, which in turn downloads the payload. Attackers use this convoluted infection method in an attempt to bypass security protections,” he said.
Apart from downloading payloads, malicious PowerShell scripts have been used to perform various tasks, such as uninstalling security products, detecting sandboxed environments or sniffing the network for passwords.
The flexibility of the PowerShell language allows scripts to be obfuscated in multiple ways, such as command shortcuts, escape characters or encoding functions, the researchers have found.
Symantec expects more PowerShell threats to appear in the future. “We strongly recommend system administrators to upgrade to the latest version of PowerShell and enable extended logging and monitoring capabilities,” said Wueest.
Leave a Reply