What are Script-Based Attacks? And What can be Done to Prevent Them?
As originally published in HelpNet Security.
Attackers always seek out new ways to evade detection. As most endpoint security products handle file-based attacks relatively well, scripts are an excellent way for attackers to avoid making changes to a disk, thus bypassing the threat detection capabilities of most products. In today's threat landscape, scripts provide initial access, enable evasion, and facilitate lateral movements post-infection. Attackers will use scripts directly on the machine or embed them in Office documents and PDFs sent to the victims as email attachments. The following blog post provides a short snapshot of what the script threat landscape looks like, and reviews common attacks and methods.
Script-based cyber attacks gained popularity in 2017 as their availability grew by over 400%. Nation-state and cybercrime groups adopted the use of scripts and fileless malware in this same timeframe. Today, script-based attacks account for 40% of all cyberattacks, according to the 2020 endpoint security report from Ponemon Institute. In 2019 and 2018, Deep Instinct identified increased use of fileless attack methods. Particularly suspicious was a spike in the abuse of legitimate applications and native tools such as PowerShell for lateral movement and infection. This trend applies to the nation-state and non-state actors alike.
A script can be anything from a sequence of simple system commands, advanced scripting languages used for system configurations, complex task automation, and other general purposes. Common scripting languages are VBScript, JavaScript, and PowerShell. Unlike applications that run after compiled into machine code, computers interpret scripts. To put in the words of Larry Wall, creator Perl scripting language, "a script is what you give the actors, but a program is what you give the audience."
How Attackers Use Scripts
Like other types of malware, payload delivery, and lateral movement follow a successful script initiated infection. The payload performs actions desired by the attacker, such as information collection, file encryption, or backdoor communication. At the same time, lateral movement infects additional computers within the network.
The use of scripts poses many advantages to the attacker: scripts are easy to write and execute, trivial to obfuscate, and extremely polymorphic. Moreover, attackers can use many types of script files to carry out an attack - the most popular being PowerShell, JavaScript, HTA, VBA, VBS, and batch scripts. Finally, since fileless attacks occur in memory, traditional static file detection is rendered useless. Furthermore, scripts complicate post-event analysis since many artifacts related to the attack only exist in the computer's memory and may be overwritten or removed through a reboot, for example. In-memory detection and artifact collection is possible through the use of heuristics and behavioral analysis, which can detect malicious in-memory activities.
Script-based attacks run on virtually all Windows systems, increasing the potential attack surface and the chance of infection. One major drawback of script-based attacks is that, unless deployed via an exploit, for the script to run, user interaction is required. For example, in most cases, the script is contained either as a script file within an email requiring user action or as a VBA macro in a document that requires the user to enable macros.
Many types of malware, including ransomware, backdoors, and financial, make use of scripts. For instance, a script that downloads a PE file can either save it to disk or run it from memory, depending on its level of sophistication. The script can also perform additional malicious actions, such as collecting information about the victim, from the computer name to saved passwords.
Studying a sample set of attacks, Deep Instinct Threat Intelligence concluded 75% of fileless campaigns use scripts (mostly one or more of PowerShell, HTA, JavaScript, VBA) during at least one of the attack stages.
For example, the Helminth Trojan, used by the Iran-based Oilrig group, uses scripts for its malicious logic. In the attack, a Microsoft Word document file exploiting CVE-2017-0199 delivers an HTA script executed by the Windows process, which runs the HTML executable mshta.exe. Once executed, the script initiates the attack, delivering the Helminth Trojan as PowerShell and VBS files.
Powershell: A Powerful Tool for the Sysadmin and Attacker Alike
PowerShell is a framework used for configuration management and task automation, with a command-line shell and scripting language. PowerShell provides access to Microsoft Windows Management Instrumentation (WMI) and Component Object Model (COM), which makes it a useful and versatile tool for system administrators automating IT management processes, but also for attackers seeking a hold of the system.
A malicious file loader using PowerShell
Attackers use PowerShell in their attacks to load malware directly in memory without writing to disk, thus bypassing many endpoint security products. Attackers also use PowerShell to automate data exfiltration and infection processes using frameworks such as Metasploit or PowerSploit.
As with other types of attacks, in a script-based attack, the initial hold of the victim generally occurs through a successful phishing attack, which contains a dropper - such as a PDF, RTF, Office file, or archive. In most cases, the dropper will then run a script, either a VBA macro or another type of script, such as PowerShell, JavaScript, or HTA. In some cases, the scripts act as downloaders, either downloading a PE file to disk before removing it, injecting a PE file into another process, or downloading another script to carry out the next stage of the attack. In rare cases, the script contains the entire malicious logic. In other cases, the attacker exploits the vulnerabilities in the document reader, for example, Adobe Acrobat, to drop the next phase of the attack. The use of droppers is widespread not only in script-based malware but also in file-based malware attacks, including well-known ransomware and financial malware campaigns.
A well-known attack using this method was Cobalt malware, which used a document dropper exploiting CVE-2017-11882. When the user opened the document, the exploit contained in the document downloaded a JavaScript, which in turn executed several PowerShell scripts – the last of which included Cobalt DLLs in the script code. These completed in PowerShell's memory without being dumped to disk. Through the use of this exploit, attackers executed a fileless attack, in which the only action performed by the user was opening the document dropper.
In many cases, PowerShell allows the attacker to gain an initial foothold on a victim, since using PowerShell enables attackers to obtain permissions and privileges, perform the lateral movement in the system, as well as interact with other Windows applications such as Microsoft Exchange.
Javascript: An Unwanted Guest on your PDF Reader
JavaScript is a standard scripting language used in web pages, web applications, and browsers. JavaScript can manipulate and modify PDF files with implemented objects, web page links, and more. Even though not designed to have direct access to the file system, most PDF-based attacks use a PDF reader software or an in-browser reader to run JavaScript code on the victims' machine. Either exploiting an unpatched vulnerability or using a by-design feature, PDF reader companies and malware developers are on a cat-and-dog chase that has been going on for years.'
Additional script-based threats
HTML application (HTA) is a Microsoft Windows file meant to run on Internet Explorer, which combines HTML code with internet explorer supported scripts such as VBScript or JScript. HTA files execute through Microsoft HTA engine (mshta.exe) that has the local user's privileges instead of Internet Explorer's restricted privileges, with access to the filesystem and registry.
Malicious HTA files allow scripts to run the machine with local user privileges to download and run executables or additional scripts. Though considered an old attack vector, many script-based attacks continue to use HTA files. These files can be sent as attachments, downloaded by another script, or redirects from malicious websites.
VBScript (Microsoft Visual Basic Scripting Edition) is a Microsoft scripting language based on VBA (Visual Basic for Applications). Instead of a full application development that VBA offers, VBS offers more straightforward usage, aiming at task automation for system administrators. Much like PowerShell, which is intended for similar uses, VBScript in often seen in script-based attacks. Microsoft's support of script encoding in the form of VBE files is another reason attackers find it useful.
So, Should I allow scripts to run in my organization network?
In fileless and script-based attacks, the malicious logic of the attack occurs in memory, making threat detection with traditional static file analysis insufficient. With script based-attacks on the rise, PowerShell in particular, organizations need to be ready to combat attacks in which the entire attack sequence occurs in memory.
A basic first step any organization should consider is segmenting employees into several groups:
- Running scripts is part of their day-to-day job
- Running scripts is not common but might happen
- There is no need to run scripts
Once segmented, security teams should ensure scripts can only execute from read-only locations and access specific machines. Additionally, security teams should restrict and monitor the use of interactive PowerShell across the organization. Additionally, practicing good IT hygiene can limit an organization's attack surface and the risk associated with script-based attacks.
With these foundational rules in place, organizations should seek out security solutions with specific capabilities that balance the ability to detect script-based attacks while allowing users who need to use scripts for their job function to do so without interruption. In its latest product version , Deep Instinct introduced Contextual Script Behavioral Analysis that delivers script threat prevention capabilities that meet these requirements. Unlike other script prevention approaches that limit script access by policy only, Deep Instinct's Contextual Script Behavioral Analysis analyzes the content of the script to identify threats. With built-in capabilities to identify malicious PowerShell commands and content as well as identify when a script executes as a child process of a closed list of parent processes (such as MS Word, Outlook, etc.) Deep Instinct's hybrid approach to script-based threat prevention delivers what you need to maintain a resilient security posture.