Symantec is warning of a rise in malicious PowerShell scripts, as attackers increasingly use the framework's flexibility to download payloads, traverse through a compromised network and carry out reconnaissance.
Symantec analysed 111 PowerShell malware samples to find out how much of a danger they posed. Of all of the PowerShell scripts analysed by Symantec, 95.4 percent were malicious. “This shows that externally sourced PowerShell scripts are a major threat to enterprises,” the company said.
“We have predominantly seen malicious PowerShell scripts used as downloaders, such as Office macros, and during the lateral movement phase, where a threat executes code on a remote computer when spreading inside the network.”
The most prevalent malware families that currently use PowerShell are:
These three threats have been distributed in spam emails.
Some of the newest downloader attacks using PowerShell work through multiple stages, where the attached script downloads another script, which in turn downloads the payload.
Symantec has said attackers use this convoluted infection method in an attempt to bypass security protections.
Apart from downloading payloads, malicious PowerShell scripts have been used to perform various tasks such as uninstalling security products, detecting sandboxed environments or sniffing the network for passwords.
The flexibility of the PowerShell language allows scripts to be obfuscated in multiple ways, such as command shortcuts, escape characters or encoding functions. However, out of the 111 analysed threat families that use PowerShell, only eight percent used any obfuscation.
None of the analysed threats randomised the order of the command arguments. The most commonly used PowerShell command-line argument was “NoProfile” (34 percent), followed by “WindowStyle” (24 percent), and “ExecutionPolicy” (23 percent).
Symantec expects more PowerShell threats to appear in the future. They strongly recommend system administrators upgrade to the latest version of PowerShell and enable extended logging and monitoring capabilities.