Fileless attacks abusing PowerShell are increasing We have seen several PowerShell script-toting malware employ techniques to bypass PowerShell’s default execution policy, such as running the malicious code as a command line argument.Ī fileless attack’s typical infection chain That doesn’t seem to be putting off hackers though. Specific PowerShell commands can be executed, for instance, but script files are prevented from running. PowerShell is restricted by default as a way to mitigate its abuse. PowerShell can virtually access a considerable range of Application Program Interfaces (APIs) to execute important functions such as VirtualAlloc, VirtualProtect, and CreateThread, all of which can be abused by attackers. PowerShell scripts aren’t just easy to write PowerShell’s flexibility, along with the availability of third-party modules, makes it relatively simple to obfuscate them. PowerShell scripts are relatively easy to write and run (and learn) for many IT/system administrators, information security professionals, penetration testers, and black hat hackers. Its use and abuse can blur the line between it being used to maliciously hack or infect a system, or to accomplish IT/system administration tasks. PowerShell is not inherently malicious and is, in fact, a legitimate tool. Last year, it also became an open-source, cross-platform framework that can be run on Linux. PowerShell is a built-in feature in Windows XP and later versions of Windows’ operating systems (OS). Why are attackers abusing PowerShell?Ībusing PowerShell heightens the risks of exposing systems to a plethora of threats such as ransomware, fileless malware, and malicious code memory injections. Many fileless malware embed malicious PowerShell scripts whose commands are often the ones responsible for downloading and launching or executing the payload. We’ve already seen how PowerShell was abused-from the Poweliks Trojan downloader that emerged in 2014, the information stealer FAREIT, and banking malware VAWTRAK to ransomware families such as PowerWare and Cerber version 6. PowerShell is also designed to enable administrators to seamlessly manage the configurations of systems and servers as well as the software or services and the environments they run on.Īnd like any potent tool, PowerShell’s capabilities have drawn the attention of cybercriminals. PowerShell is designed to automate system administration tasks, such as view all USB devices, drives, and services installed in the system, schedule a series of commands and set it in the background, or terminate processes (like Task Manager). NET framework comprising a command-line shell, an interface that lets users access services of the operating system (OS), and a programming language that can be used to create scripts. Windows PowerShell is a built-in tool based on the. Malicious PowerShell scripts are a key ingredient to many fileless malware. For example, the cybercriminal group Lurk used a fileless infection to steal more than $45 million from financial institutions using their own exploit kit. Fileless infections are also a staple feature in exploit kits such as Angler. Fileless threats, unfortunately, are also readily available in public project repositories, and even in the cybercriminal underground as a product (or service). Tell-tale signs of fileless infection are network traces, like command-and-control (C&C) connections, and other malicious code artifacts left behind in the affected machine. In a typical fileless infection, payloads can be injected into the memory of an existing application/software, or by running scripts within a whitelisted application such as PowerShell.Įven if they aren’t file-based (or executable) threats, we know they’re out in the wild due to their notoriety as a technique in targeted attacks. Instead, they are executed in the system’s memory, or reside in the system’s registry for persistence. This is the case with threats such as fileless malware.įileless infections don’t entail files being written or downloaded and executed in the affected machine’s local disks. Exploiting these legitimate system utilities also enables these threats to do its malicious bidding while leaving fewer footprints, which in turn make their detection more challenging. Leveraging them allows these threats to blend in with normal network traffic or IT/system administration tasks, for instance. By Marvin Cruz (Trend Micro Threat Researcher)Ĭonvenience, efficacy, and stealth are the likeliest reasons why cybercriminals are increasingly abusing legitimate tools or services already in the system to deliver their malware.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |