PowerShell is a sophisticated scripting engine that’s frequently used by system administrators to automate common management functions. PowerShell provides command-line access to almost all features of a Windows computer, including software installation, process management, configuration editing and various code execution capabilities.
The deep OS-level integration of PowerShell makes it an ideal scripting language for admins working with Windows PCs. This same characteristic also renders it a highly attractive target for cyberattackers, who can craft PowerShell scripts to interfere with a system, extract data and run malicious commands.
As reported by ComputerWeekly, McAfee Labs found adoption of PowerShell malware soared over the past year. The number of observed attacks rose by 432%, a figure that suggests cybercriminals are moving away from traditional file-based attack vectors. Compared with placing malicious executables on a machine, a PowerShell exploit may be harder to detect and easier to deploy.
READ NEXT: Sir Tim Berners-Lee calls for “regulatory framework” for big tech
Attacks that have used PowerShell to infiltrate systems include several Microsoft Office threats, crypto-jacking software and the Operation Gold Dragon campaign against the 2018 Winter Olympics. McAfee said the latter was an “exemplary” example of the possibilities of PowerShell malware. The company said the tool is rapidly becoming a “go-to” option for cyberattackers crafting malware designed to go unnoticed.
“In 2017, McAfee Labs saw PowerShell malware grow by 267% in Q4, and by 432% year over year as the threat category increasingly became a go-to toolbox for cybercriminals,” said McAfee. “The scripting language was irresistible, as attackers sought to use it within Microsoft Office files to execute the first stage of attacks.”
Mitigating PowerShell attacks can be difficult because the contents of malicious scripts can easily be obfuscated. Once it’s running, a PowerShell script can disguise its operations and persist itself in a target system. Admins might not necessarily spot its existence, especially if they’re already using legitimate PowerShell scripts on the same machine.
Because PowerShell is preinstalled and enabled by default on Windows, attackers can count on it being always being available. McAfee said the best way to defend against script-based invasions is to provide training to users on spotting potential attacks. Most PowerShell malware is still distributed in regular spam emails, so users should remain vigilant when opening mail from unknown senders.
