The people at Symantec analyzed 4,782 samples and found 111 malware families that use PowerShell commands to plant security breaches. Out of this 111 families, 8% used mixed-case letters aka obfuscation. Attackers use other methods such as Invoke-Command, Enter-PSSession, PsExec, WMI/wmic/Invoke-WMImethod, Profile injection.
Many of the new malware are taking a step by step approach to load malicious content on PCs. For example, one malicious script downloads a new script which then downloads the payload. These payloads are being used to uninstall security solutions, sending passwords and log-in credentials to the creator.
Malicious PowerShell Scripts
According to Symantec, these well-known malware families (listed below) use malicious scripts to perform security breaches:
- W97M.Downloader (Found in 9.4% of all the analyzed sample).
- Kovter Trojan (Found in 4.5% of all the analyzed sample).
- JS.Downloader (Found in 4.0% of all the analyzed sample).
Attackers are using spam e-mails to spread these malware families. Symantec says that on average they have blocked 466,028 e-mails per day, which contained malicious JavaScript. Many of those malicious JavaScripts used PowerShell to download payloads.
PowerShell has been a part of Windows since Windows 7 and will soon replace the old command prompt. Hence, many security-breachers like Odinaff group and the brains behind the “Kovter Trojan” are starting to use malicious PowerShell scripts to perform massive attacks.
Symantec says, in order to prevent yourself from the uprising in threats leveraging PowerShell and security breaches, “We recommend bolstering defenses by upgrading to the latest version of PowerShell and enabling extended logging features.”
Furthermore, they asked to consider PowerShell in attack scenarios and monitor the corresponding log files.
