Script-based malware attacks can effectively bypass traditional security tools like antivirus software, this is why we are witnessing a significant increase in script-based attacks over the past few years.
Unlike executable malware, scripts use standard scripting languages like PowerShell, VBScript, Shell, or Python which can be easily embedded in documents, emails, or websites, making them an attacker’s best friend.
But how do script-based attacks work exactly and why is it so difficult for traditional antivirus software to detect them? Let’s dive in.
What is a script?
A script is a series of instructions or code written in a programming or scripting language.
Compared to applications, which are often complex and designed to run continuously, scripts are smaller, simpler, and designed to automate a task or perform a one-shot action.
Although many of you most likely have only negative connotations in mind of how scripts are used, it’s important to point out that scripts are rather commonly used to automate repetitive tasks, file management, data processing, and system admin processes.
Indeed, scripts offer a number of advantages: they don’t need to be compiled, they are highly accessible, and they are often pre-installed on operating systems. This simplifies the development and deployment process a lot, making them a good tool for both novice programmers and more experienced developers.
Scripts can be executed on any operating system, but some scripting languages are supported only by a specific operating system.
These, however, are not the only use cases of scripts, as the topic of this article points out. Malicious actors do use scripts to deliver malware using a number of different methods.
Types of scripts used in malware attacks
The most common scripting languages for Windows are PowerShell, a powerful language that allows deep integration with the Windows Operating System; Batch, which is much simpler and mostly used for automating basic tasks; and VBScript (now considered deprecated), which is often used to embed scripts in Microsoft Office documents.
On Linux, common scripting languages are Bash (or shell), Python, and Perl. Bash is the default shell (hence the alternative name) on many Linux distributions and is used for writing scripts that perform system administration tasks. Python, often installed by default on Linux systems, is known for its readability and extensive libraries. It can be used for simple tasks or more advanced and complex software development.
Methods of delivering and executing malware through script
Attackers use various tactics to deliver and execute malicious scripts on a target machine, with phishing being one of the most common (and well-known) methods. Attackers send emails that appear to come from trusted sources such as banks, government agencies, or even close family members (or even your boss!).
They are designed to look convincing and urgent and often include an attached file containing the malicious script or a link to a URL that will download the malicious file. The file might be an essential document, an invoice, or a notice requiring “immediate attention.” They just need to convince the victim to download and open the file to execute the malicious script.
On Windows, the malicious script can be written in Batch. Batch scripts are simple text files containing a sequence of commands to be executed by the Command-Line Interpreter (CLI) and can perform basic tasks such as downloading and executing malware. However, Batch scripts have limited functionality compared to scripting languages like PowerShell.
Powershell can interact with almost every configuration on the Windows Operating System. If an attacker manages to make a victim execute a script, it can allow them to perform actions like altering registry settings to maintain persistent access.
In most cases, attackers must rely on social engineering to make the user execute the malicious script and they will try to exploit human emotions such as fear or curiosity. They often make the victim feel that there is an urgency to make him open the document without considering a potential risk. Despicable, I know!
Attackers can also use macros to embed VBScript in Microsoft Office documents, such as Word or Excel. Indeed, Office documents support the use of macros-script that can automate tasks within the document. Since macros are disabled by default, the attacker often tricks the victims with a fake prompt to enable the macro. Once enabled, the macro executes the malicious script and compromises the system.
Another way for attackers to execute scripts is through a public vulnerability on a website or software. Most of the time, the vulnerability must be a remote command execution so the attacker can execute commands on the remote operating system through HTTP requests.
The attacker will download and execute a remote script through the vulnerability to gain more persistent access to the target system. Those scripts are often backdoors, allowing attackers to maintain access even if the vulnerability has been patched.
Why do traditional security tools struggle to detect script-based attacks?
Traditional antivirus software often struggles to detect malicious scripts because antivirus tools rely on identifying known file signatures to recognize malware. Scripts can also be executed directly in memory, bypassing antivirus that scans files stored on the disk — executing malicious commands in memory can’t prevent those fileless executions.
It’s also worth mentioning that a script can be easily modified or obfuscated, making it even more difficult for an antivirus software to identify them as a threat.
Real-life examples of script-based attacks
But enough theory — let’s go down memory lane and look at some real-life examples of script-based attacks and their actual business impact.
Remember the Cl0p ransomware? Cl0p, also known as TA505, is a threat actor that was previously known for exploiting SQL injection in MoveIT Transfer software. In 2019, as a variant of the CryptoMix ransomware, the Cl0p ransomware appeared as a RaaS (Ransomware as a Service).
In 2019, they leveraged the Cl0p ransomware through phishing campaigns with a macro-enabled document. This macro downloaded the Get2 malware dropper to download SDBot (Backdoor Trojan) and FlawedGrace (Remote Access Trojan). Once a machine is compromised, the ransomware will try lateral movement to compromise other machines in the network. They will then use double extortion — hey encrypt all the files on the machine and steal all the data so they can threaten the victims by leaking all their sensitive files if the ransom is not paid.
Another real-life example was the Emotet malware, which appeared in 2014. It started as a
banking Trojan but evolved into a malware platform for delivering other malware, such as ransomware. Emotet was known to spread via emails. Those emails contained either a malicious attachment Word document or a URL that users should click to download the document.
Once the user has opened it, it is too late. The malware is downloaded on the system through a macro and starts its malicious activity. It will get all the email contacts of the infected user and will send the phishing email to all its contacts. This technique is more complex to prevent since users will receive an email from an email address they know, making them more inclined to open the attached file. The malware also used brute force techniques to propagate in the infected machine network. It also downloads other banking Trojans and ransomware. For example, in 2019, Emotet ransomware cost 460 000$ to Lake City in Florida as payment of the ransomware.
One more example (and I’ll stop here because it’s getting depressing!) is the APT 40 group, which has repeatedly and recently targeted Australia’s government and private sector. The group is known to exploit new public vulnerabilities and can use proof of concept for effective exploitation. The group exploits only public-facing applications and is not interested in techniques requiring user interactions, such as phishing campaigns.
Once they have exploited a vulnerability, APT 40 uses web shell to maintain persistence on the infected machine. With this persistence, they can keep access to the machine even if the vulnerability has been patched. Then, they can move laterally via remote services such as RDP or Samba. After that, they will exfiltrate data via their Command-and-Control server (C2) infrastructure and will try to remove Indicators of Compromise (IoCs).
Detecting and preventing script-based attacks
If the real-life examples I presented above showed you anything is that script-based attacks are a threat to be taken very seriously! Thankfully, there are several methods you can use to effectively mitigate the risk of a successful script-based attack.
Anomaly detection tools
To begin with, an anomaly detection tool, designed to detect abnormal behavior from a system or a network, continuously monitors the system’s activities to understand normal behavior and, therefore, detect unusual activity.
Anomaly detection tools can detect the execution of unusual commands, unexpected access to resources, or the modification of critical files. Advanced anomaly detection tools which can analyze the network traffic, can help detect abnormal network activity. For example, beaconing is a form of communication between the infected host and the Command-and-Control server. Malware periodically communicates with the C2 server to receive instructions, update, or exfiltrate data.
Note: Some malware might delay their initial communication with the C2 server or will connect to the C2 server at random intervals, making it harder to detect this unusual network traffic.
Behavior-based detection tools
Behavior-based tools can also protect against script-based malware attacks. They mainly focus on detecting potential compromise rather than malicious files. For example, those tools can detect when many files are suddenly modified (ransomware attack) or when a security tool, such as an antivirus or firewall, is disabled on a machine, which is a common tactic used by malware to avoid detection.
Behavior detection tools can also detect when access to sensitive data occurs at unusual hours or when a user logs in from an unusual location. Those tools can also correlate multiple alerts to detect more advanced behaviors. If, for instance, a script that disables logging, security measures, or tools on a machine and suddenly tries to access sensitive data can indicate a compromise.
Behavior-Based Detection at Its Finest
Protect your infrastructure with CrowdSec’s unique, crowd-powered and behavior-based IDPS.
Get startedSignature-based detection tools
regularly running signature-based detection tools, such as antivirus, or signature-based malware detection software like PHP Malware Finder is also an excellent way to protect against malware. I know, I know — just a few paragraphs ago, I said that script-based attacks can circumvent antivirus software. But the reality is that these tools still hold a place in a solid, holistic security strategy.
Antivirus software is designed to scan files and applications. This is effective against known malware since security vendors have already identified the signature. See what I wrote there? Known malware. For your antivirus software to be effective, you must be vigilant with its updates to make sure you have the latest signatures.
Malicious code scanners
Tools like PHP Malware Finder (PMF) are made to detect malicious code in specific environments or languages — in this example, of course, PHP. It scans all PHP files to detect signatures associated with web malware, backdoors, and obfuscated code. PMF is often run on custom web applications or Content Management Systems (CMS) because they are an easy target for attackers.
In any case, this will not prevent the system from being compromised, but it allow you to detect that it has been compromised, hopefully fast enough, and begin mitigation.
Bringing it all together
Combining the four types of tools mentioned above is a very efficient way to protect against script-based malware attacks.
However, there are several other good practices that organizations can adopt to detect and prevent malware attacks.
- Security education: Helping users understand the different types of malware and how they operate, how to recognize phishing emails, and the potential impact of a malware attack can make them more vigilant and proactively mitigate those attacks. These education efforts can include regular training sessions or simulating phishing campaigns to sensitize users to real attackers’ tactics. Making them aware of these attacks can significantly reduce the possibility of a successful phishing attack.
- Keeping software up-to-date: And when I say software, I mean all software, including operating systems, applications, and plugins. Remote vulnerabilities that don’t require user interactions are dangerous. When their exploits are released, organizations must be able to patch and update as fast as they can to avoid being compromised.
- Network segmentation: This will restrict access to the malware that can spread across the network. If an attacker manages to compromise a machine on a network, this segmentation will prevent it from quickly spreading to the whole network, containing the potential damages.
- Regular data backups: This practice is crucial against ransomware attacks. If a ransomware attack is achieved successfully, having a recent backup allows an organization to restore its system without losing data and needing to pay a ransom. A critical part of data backup is that the backups must be stored in a secure environment and not be connected to the same network. Attackers are not stupid — keep in mind they do often try during the reconnaissance phase to gain access to the backup server and to delete or encrypt all the backups.
That is all, folks. I hope you now have a better understanding of how an attacker can execute malware through a script and the real impact such an attack can have on a system.
So, stay vigilant and stay safe!
