Symantec warns of growing number of malicious scripts

Dec 10, 2016 09:23 GMT  ·  By

Microsoft PowerShell is a really powerful tool for IT professionals running Windows, and the Redmond-based software giant is making it the default shell in the operating system, but security experts say that cybercriminals are also increasingly using it for spreading malware.

Security firm Symantec have analyzed malicious PowerShell scripts and said that the number of threats is growing at a fast pace, especially in the case of enterprises where the shell framework is more widely used.

Symantec says that most malicious PowerShell scripts are being used as downloads, including Office macros, and the ultimate goal is to execute code on a computer and then spread malware across the entire network.

Scripts trying to remove security protection

There are three common malware families that are spreading with PowerShell scripts these days, namely W97M.Downloader (9.4 percent of all analyzed samples), Trojan.Kotver (4.5 percent), and JS.Downloader (4.0 percent), according to Symantec.

“Over the last six months, we blocked an average of 466,028 emails with malicious JavaScript per day, and this trend is growing. Not all malicious JavaScript files use PowerShell to download files, but we have seen a steady increase in the framework’s usage,” the firm says.

Cybercriminals are also creating more complex PowerShell scripts that work in stages, so instead of compromising the target computer directly, they are actually linked to a different script that eventually deploys the malware. This helps bypass certain security solutions and protection apps, but in some cases, scripts can be developed to uninstall these security solutions or steal passwords used across the network.

The best way to protect against this type of threats is to run security software that’s fully up to date, as well as the latest version of PowerShell. Additionally, given the fact that most scripts are being delivered via email, avoid opening scripts, files, or links coming from untrusted sources that could pose a risk for your system or network.