- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Cyberattackers look for fast and easy ways to steal your data. Among many techniques in their playbooks, using scripts is a quickly growing trend. Why? because:
Scripting is an extremely useful toolset. It allows administrators and power users a way to automate repetitive tasks and multitask effectively. If you have ever opened Microsoft Office file, you have probably encountered “macros” which may execute VBScript. These tools help accelerate productivity, but can also be used for a darker purpose. Adversaries can leverage scripting languages to ingest and execute code, exploit vulnerabilities in the system, and potentially gain privileged access.
They are continuously finding clever new ways to hide these malicious scripts in seemingly safe content. For example, they can use password protected archive formats (.ZIP, .RAR), or embed them in commonly used Windows PE (executables) files and documents, successfully evading legacy sandboxing tools. In most cases, attackers use social engineering techniques to build emails to deliver the script that appears to be from a trusted source within the company, increasing the changes of an employee engaging with it.
How WildFire Protects
The Palo Alto Networks WildFire malware analysis service has added an innovative new detection technique to mitigate script-based attacks. When scripts are identified traversing the network, our Security Operating Platform immediately identifies and forward the files to WildFire for analysis and execution. In order to reveal even the most evasive advanced attacks, WildFire utilizes multiple techniques including static analysis and dynamic analysis to identify the true intent of the script. Once the verdict is determined, protections are shared with the global community within minutes, spreading immunity worldwide.
WildFire now supports the following scripts filetypes:
Script Support
Protocols:
Use Case:
For example, a user receives and executes a malicious script delivered via email. WildFire receives and analyzes the script, delivering domain signatures and URL recategorization to block the secondary malicious payloads. Here is a visual representation of the lifecycle:
The next step would be to determine the purpose and potentially targeted nature of this attack. Palo Alto Networks AutoFocus Threat Intelligence service provides rich context and attribution, you get instant access to billions of public samples and trillions of artifacts collected and processed by WildFire global infrastructure. Security analysts can quickly identify potential impact by combining Unit 42 human intelligence and automated analysis. As a result, you have fast access to the right data, be more proactive and respond to future script-based attacks faster.
The Palo Alto Networks Unit 42 threat research team has discovered and dissected several of adversary playbooks which include scripts at several stages of the attack lifecycle, providing insight into how adversaries are employing this technique in the real world:
New Threat Actor Group DarkHydrus Targets Middle East Government
DarkHydrus in this attack uses email to deliver malicious scripts (custom PowerShell) in a password protected RAR file.
UNIT 42 Tag: DarkHydrus
Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows
This threat actor uses Xbash version that executes JavaScript/VBScript and invokes PowerShell to download a malicious PE executable or PE DLL file.
UNIT 42 Tag: Xbash
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
2 Likes | |
1 Like | |
1 Like |