Community Blog

When Scripts Attacks, WildFire Protects

by kimtiaz on ‎01-14-2019 02:00 PM - last edited on ‎01-16-2019 10:49 AM by (806 Views)

Cyberattackers look for fast and easy ways to steal your data. Among many techniques in their playbooks, using scripts is a quickly growing trend. Why? because:

 

  1. Scripts are easier to obfuscate than PE
  2. Scripts are harder to detect based on file type and syntax (since a script is merely a text file)
  3. Scripts will run across platforms (no need to recompile to windows 7, XP etc..)
  4. Scripts are easier to generate (no compilation process simple text changes)
  5. Script languages are easier to learn than programming languages
 

Scripting is an extremely useful toolset. It allows administrators and power users a way to automate repetitive tasks and multitask effectively. If you have ever opened Microsoft Office file, you have probably encountered “macros” which may execute VBScript. These tools help accelerate productivity,  but can also be used for a darker purpose. Adversaries can leverage scripting languages to ingest and execute code, exploit vulnerabilities in the system, and potentially gain privileged access.

 

 

They are continuously finding clever new ways to hide these malicious scripts in seemingly safe content. For example, they can use password protected archive formats (.ZIP, .RAR), or embed them in commonly used  Windows PE (executables) files and documents, successfully evading legacy sandboxing tools. In most cases, attackers use social engineering techniques to build emails to deliver the script that appears to be from a trusted source within the company, increasing the changes of an employee engaging with it.  

 

 

How WildFire Protects

The Palo Alto Networks WildFire malware analysis service has added an innovative new detection technique to mitigate script-based attacks. When scripts are identified traversing the network, our Security Operating Platform immediately identifies and forward the files to WildFire for analysis and execution. In order to reveal even the most evasive advanced attacks, WildFire utilizes multiple techniques including static analysis and dynamic analysis to identify the true intent of the script. Once the verdict is determined, protections are shared with the global community within minutes, spreading immunity worldwide.

 

 

WildFire now supports the following scripts filetypes:

 

Script Support

  • JScript (.js,)
  • VBScript (.vbs)
  • PowerShell Script (.ps1)
  • Shell Script (.sh)

 

Protocols:

  • HTTP, HTTPS
  • FTP
  • POP3, SMTP, IMAP
  • SMB

 

 

Use Case:

For example, a user receives and executes a malicious script delivered via email. WildFire receives and analyzes the script, delivering domain signatures and URL recategorization to block the secondary malicious payloads. Here is a visual representation of the lifecycle:

 

Screenshot of visual representation of the lifecycle

 

 

The next step would be to determine the purpose and potentially targeted nature of this attack. Palo Alto Networks AutoFocus Threat Intelligence service provides rich context and attribution, you get instant access to billions of public samples and trillions of artifacts collected and processed by WildFire global infrastructure. Security analysts can quickly identify potential impact by combining Unit 42 human intelligence and automated analysis. As a result, you have fast access to the right data, be more proactive and respond to future script-based attacks faster.

 

The Palo Alto Networks Unit 42 threat research team has discovered and dissected several of adversary playbooks which include scripts at several stages of the attack lifecycle, providing insight into how adversaries are employing this technique in the real world:

 

New Threat Actor Group DarkHydrus Targets Middle East Government

DarkHydrus in this attack uses email to deliver malicious scripts (custom PowerShell) in a password protected RAR file.

UNIT 42 Tag: DarkHydrus

 

 

Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows

This threat actor uses Xbash version that executes JavaScript/VBScript and invokes PowerShell to download a malicious PE executable or PE DLL file.

UNIT 42 Tag: Xbash

 

 

 Learn more about WildFire and AutoFocus

Ask Questions Get Answers Join the Live Community
Labels