It is a trend that is not going away – cybercriminals will always be attempting to circumvent security defenses with the assistance of increasingly sophisticated techniques. This leads us to the so-called fileless malware where the effectiveness of an attack goes beyond expectations. A perfect illustration here is the scale of two infamous ransomware outbreaks that happened last year – Petya and WannaCry both of which deployed fileless techniques as part of their kill chains.
As explained by Microsoft in an overview on fileless malware, the idea behind fileless malware is simple: if tools already exist on a device, such as PowerShell.exe, to fulfill an attacker’s objectives, then why drop custom tools that could be flagged as malware? If a cybercriminal can take over a process, run code in its memory space, and then use that code to call tools that are already on a device, the attack becomes stealthy and nearly impossible to detect.
The Increasing Use of PowerShell in Fileless Malware Distribution
Malicious PowerShell attacks, in particular, increased by 661 percent from the last half of 2017 to the first half of 2018, and doubled from the first quarter to the second of 2018, as evident by a detailed Symantec report.
The preinstalled and versatile Windows PowerShell has become one of the most popular choices in cybercriminals’ attack arsenals, the researchers said. There has been an increase of 661 percent in computers where malicious PowerShell activity was blocked from the second half of 2017 to the first half of 2018 — a clear indication that malware operators are still largely relying on the deployment of PowerShell in their attacks.
PowerShell-based techniques are especially valid for fileless malware campaigns where no file is written to disk, like in many cryptocurrency miners and financial malware. A recent example here is the s-called GhostMiner.
The GhostMiner virus is an intrusive cryptocurrency Trojan that was spotted in a worldwide attack in March. According to the security researchers that analyzed its case, the threat was labeled as “critical” as it was found to be able to spread on a global scale using a “fileless” infiltration.
The actual infiltration happens using a several step process that can be further modified according to the individual targets and the relevant attack campaign. The attack begins with the initial infection phase that relies on several PowerShell evasion frameworks. They bypass the usual operating system protection and may also act against common security software: anti-virus programs, sandbox or debug environments and virtual machine hosts. The module is designed to bypass or entirely remove the threat. In certain cases the malware may choose to delete itself if it finds that it cannot infect the target computer in a stealth way.
The whole “living off the land” tactic, of which PowerShell is a part, is very popular these days. Dual-use tools such as WMI or PsExec, which are commonly seen during attacks, are another frequently observed aspect of this tactic. Attackers are constantly experimenting with scripts, learning, and sharing their experience among themselves.
PowerShell frameworks such as PowerSploit or Empire have also made it effortless not only for penetration testers but also attackers to incorporate malicious scripts into their toolset.
To better understand the current landscape of Power-Shell-powered attacks, the researchers analyzed more than 115,000 randomly selected malicious PowerShell command lines that were seen throughout 2018. It should be noted that many of these command lines came from Microsoft Office documents or self-propagating worms.
One of the first things that the researchers noted was the lack of obfuscation techniques.
Decreased Use of Obfuscation in PowerShell Attacks
Despite that are many obfuscation tricks suitable for PowerShell as well as fully automated tools that can obfuscate scripts for users, these are rarely used in the wild:
Only four percent of the PowerShell command lines we analyzed tried to obfuscate themselves by using a mixture of lower- and uppercase letters. And even those that do are often auto-generated by some toolkit with a poor randomizer.
Why is that? It appears that attackers are most likely aware of the fact that PowerShell activity is not monitored on a default basis.
Even if it is monitored, it is still highly possible for a non-obfuscated command line “to slip unnoticed through the cracks”. As the researchers put it – “too much obfuscation can be a red flag”. There is another option for attackers – to deploy a BASE64-encoded blob to hide their commands, which usually leads to an extra step of decoding required, before the payload can be seen. This is usually done by various scripts, even benign ones.
As to why malicious PowerShell scripts are used – the download and execution of remote payloads remains the number one goal behind such attacks.
From all samples analyzed by the Symantec research team, 17 percent downloaded something through HTTP or HTTPS. The scripts are getting more robust and often try multiple URLs, use the local proxy settings, or set a specific user agent in order to succeed, the researchers concluded.