Cybercriminals are always looking for nobody to be able to detect their attacks. One way they can achieve their goals is through script-based attacks. In this article we are going to explain how it works and how we can protect ourselves against this threat that is gradually becoming popular.
Most security products detect file-based attacks well. However, one way to bypass the threat detection capabilities of most security products is scripts. This is an excellent way for attackers to avoid making changes to a disk, thus making it difficult to detect.
Currently, scripts provide initial access, allow evasion, and also facilitate lateral movements after infection. Attackers generally use scripts in two ways. The first way would be to use it directly on the team you want to attack. The second way would be to embed that script in Office documents and PDFs and then send them to your victim via email.
Evolution of cyberattacks with scripts in recent years
Script-based attacks started to gain popularity in 2017 and have since increased by more than 100%. In this same time period, nation-states and cybercriminal groups have embraced the use of fileless malware and scripts as one of their preferred ways to achieve their goals. According to the 2020 Ponemon Institute Security Report, script-based attacks currently account for 40% of all cyber attacks.
Between 2019 and 2018, there was an increased use of fileless attack methods. Particularly suspicious at that time was taking advantage of legitimate applications and native tools such as PowerShell to infect computers. A script can range from simple system scripts, to advanced scripting languages used for system configurations, also complex task automation and other general purposes.
The most common scripting languages are:
- VBScript.
- JavaScript.
- PowerShell.
Unlike applications that run after compiling into machine code, computers interpret scripts directly.
This is how cybercriminals use scripts
After an infection initiated by a script, two movements occur:
- The payload that will perform the actions that the attacker wants to execute. In this way, information gathering, file encryption or communication with a back door is sought.
- The lateral movement that leads to the infection of additional computers within the network.
Using scripts has many advantages for cybercriminals. The reason is because they are easy to write and execute, trivial to obfuscate, and extremely polymorphic. Also, we can use many types of script files to perform an attack. The most popular are PowerShell, JavaScript, HTA, VBA, VBS, and batch scripts.
One fact that we must not forget is that attacks occur without files in memory. This renders traditional static file detection useless. Scripts also complicate further analysis as many items related to the attack only exist in the computer’s memory and can be overwritten or removed by a reboot.
If we want to detect these scripts, we will do so by using heuristic and behavioral analysis , which in this case can allow us to detect malicious activities in memory. Script-based attacks run on virtually all Windows systems . If we consider that they are the most used in our desktop and laptop PCs, we can say that they greatly increase the chances of an attack or an infection.
The biggest downside to script-based attacks is that, unless implemented through an exploit, user interaction is required for it to run. A typical case can be the script that is contained as an email file. To run it requires user action enabling macros in a document and running a VBA macro. In this article we recommend not opening files or executing files whose source you cannot trust. However, still checking those files with an antivirus or antimalware never hurts.
In case you don’t know, many types of malware use scripts. For example, you could download a PE (Portable Executable) file, save it to disk, or run it from memory, depending on your level of sophistication. Then that script can perform malicious actions such as obtaining information about the victim, the name of the computer and even the saved passwords.
Deep Instinct Threat Intelligence by studying a series of sample attacks found that 75% of fileless campaigns used scripts during at least one stage of the attack. Mainly PowerShell, HTA, JavaScript and VBA type.
For example, the Iran-based OilRig group uses scripts in the attack. To do this, it uses a Microsoft Word document that exploits the CVE-2017-0199 vulnerability and delivers an HTA script executed by the Windows process that uses the HTML executable mshta.exe. Once executed, the script initiates the attack, delivering the Helminth Trojan as PowerShell and VBS files.
PowerShell, JavaScript, HTA, and VBScript for script-based attacks
PowerShell is a framework used for configuration management and task automation, with a command line box and scripting language. This makes it a useful and versatile tool for system administrators who automate IT (Information Technology) management processes.
Attackers use PowerShell in their attacks to load malware directly into memory without writing to disk. Thus preventing many security products from detecting them. It is also used by PowerShell to automate data exfiltration and infection processes using frameworks such as Metasploit or PowerSploit.
A well-known attack with this method was the Cobalt malware , which exploits the CVE-2017-11882 vulnerability. When the user opens the document, the exploit contained in the document downloads a JavaScript, which in turn runs multiple PowerShell scripts, the last of which included the Cobalt DLL in the script code. These are completed in PowerShell memory without being dumped to disk. By using this exploit, the attackers executed a fileless attack, in which the only action taken by the user was to open the document dropper.
Another element used to attack with scripts is JavaScript. In case you don’t know, it is a language used in web pages, web applications and browsers. Additionally, JavaScript can manipulate and modify PDF files with implemented objects, links to web pages, and more.
In this case, most PDF-based attacks use PDF reader software or a reader in the browser to execute JavaScript code on the victim’s machine.
Also, malicious scripts can be created that affect:
- The HTML Application (HTA ) which is a Microsoft Windows file intended to run in Internet Explorer and which combines HTML code with Internet Explorer compatible scripts such as VBScript or JScript. HTA files are run through Microsoft’s HTA engine (mshta.exe).
- VBScript (Microsoft Visual Basic Scripting Edition) is a Microsoft scripting language based on VBA (Visual Basic for Applications). Rather than full application development offered by VBA, VBS offers more straightforward use, aiming at automating tasks for sysadmins. Microsoft’s support for encoding scripts in the form of VBE files is another reason attackers find it useful.
So you can protect yourself from script-based attacks
Numerous script-based attacks occur every day. We and companies must also be prepared to fight them. The first basic step that any organization should consider is to classify employees into one of three groups:
- Those who run scripts in their daily work.
- Those who do not usually run scripts, but would occasionally have to use them.
- Those who have no need to run scripts.
Finally, after workgroups are created, security teams must ensure that scripts can only be run from read-only locations and accessed by specific machines. Additionally, these security teams must restrict and observe the use of interactive PowerShell in the enterprise. If done in this way, avoiding script-based attacks will be easier.
