Script Attacks.. Encyclopaedia

Attackers always seek out new ways to evade detection. As most endpoint security products handle file-based attacks relatively well, scripts are an excellent way for attackers to avoid making changes to a disk, thus bypassing the threat detection capabilities of most products. In today’s threat landscape, scripts provide initial access, enable evasion, and facilitate lateral movements post-infection.

Script-based attacks

A script can be anything from a sequence of simple system commands, advanced scripting languages used for system configurations, complex task automation, and other general purposes. Common scripting languages are VBScript, JavaScript, and PowerShell. Unlike applications that run after being compiled into machine code, computers interpret scripts.

How attackers use scripts

Payload delivery and lateral movement follow a successful script-initiated infection. The payload performs actions desired by the attacker, such as information collection, file encryption, or backdoor communication. At the same time, lateral movement leads to infection of additional computers within the network.

The use of scripts poses many advantages to the attacker: scripts are easy to write and execute, trivial to obfuscate, and extremely polymorphic. Moreover, attackers can use many types of script files to carry out an attack – the most popular being PowerShell, JavaScript, HTA, VBA, VBS, and batch scripts. Since fileless attacks occur in memory, traditional static file detection is rendered useless.

Script-based attacks run on virtually all Windows systems, increasing the potential attack surface and the chance of infection. One major drawback of script-based attacks is that, unless deployed via an exploit, user interaction is required for the script to run.

Many types of malware use scripts. For instance, a script that downloads a PE file can either save it to disk or run it from memory, depending on its level of sophistication. The script can also perform additional malicious actions, such as collecting information about the victim, from the computer name to saved passwords.

PowerShell

PowerShell is a framework used for configuration management and task automation, with a command-line shell and scripting language. PowerShell provides access to Microsoft Windows Management Instrumentation (WMI) and Component Object Model (COM), which makes it a useful and versatile tool for system administrators automating IT management processes, but also for attackers seeking a foothold in the system.

A malicious file loader using PowerShell

Attackers use poweshell in their attacks to load malware directly in memory without writing to disk, thus bypassing many endpoint security products. Attackers also use PowerShell to automate data exfiltration and infection processes using frameworks such as Metasploit or PowerSploit.

As with other types of attacks, in a script-based attack, the initial hold of the victim generally occurs through a successful phishing attack, which contains a dropper – such as a PDF, RTF, Office file, or archive. In most cases, the dropper will then run a script, either a VBA macro or another type of script, such as PowerShell, JavaScript, or HTA.

JavaScript

JavaScript is a standard scripting language used in web pages, web applications, and browsers. JavaScript can manipulate and modify PDF files with implemented objects, web page links, and more. Most PDF-based attacks use the PDF reader software or an in-browser reader to run JavaScript code on the victims’ machine.

Additional script-based threats

HTML application (HTA) is a Microsoft Windows file meant to run on Internet Explorer, which combines HTML code with Internet Explorer-supported scripts such as VBScript or JScript. HTA files execute through Microsoft HTA engine (mshta.exe) that has the local user’s privileges instead of Internet Explorer’s restricted privileges, with access to the filesystem and registry.

Malicious HTA files allow scripts to run the machine with local user privileges to download and run executables or additional scripts. Though considered an old attack vector, many script-based attacks continue to use HTA files. These files can be sent as attachments, downloaded by another script, or redirects from malicious websites.

Scripts to run in network is that safe ?

With script-based attacks on the rise, organizations need to be ready to combat attacks in which the entire attack sequence occurs in memory.

A basic first step any organization should consider is segmenting employees into several groups:

1. Running scripts is part of their day-to-day job
2. Running scripts is not common but might happen
3. There is no need to run scripts

With these foundational rules in place, organizations should seek out security solutions with specific capabilities that balance the ability to detect script-based attacks while allowing users who need to use scripts for their job function to do so without interruption.

Office 365 phishing now with fake SharePoint alerts

Employees using Microsoft Office 365 are targeted in a phishing campaign that makes use automated SharePoint notifications to steal their accounts.

The phishing emails delivered as part of this phishing campaign are addressed to all employees working at targeted organizations and have until now reached an estimated number of up to 50,000 mailboxes based on stats from email security company Abnormal Security.

What makes these phishing messages potentially dangerous is the fact that they’re using a shotgun approach, trying to trick at least one employee and then use their credentials to further compromise their employer’s systems.

Fake SharePoint alerts used as lures
The attackers behind this phishing campaign did their best to keep the phishing messages as short and vague as possible, and they also made it a point to include the targeted company’s name multiple times within the emails.

This strategy is supposedly designed to help induce a feeling of trust and make the targets think that the phishing emails were really sent from within their organization.

“In the email body, the recipient’s company name was also used numerous times to impersonate an internal document shared by this service,”.

“Recipients may be convinced that the email is safe and coming from their company because of the repetitive inclusion of the company name.”

The phishing messages’ goal is to make the targets click on an embedded hyperlink that sends them to a SharePoint themed landing page through a series of redirects.

This is where they are required to click on a button to download “important documents” mentioned within the phishing emails, a button that will either download a PDF that sends them to another website or that will redirect them to a submission form where they are asked to input their credentials.

If the targets fall for the phishers’ tricks, their Microsoft credentials will give the attackers’ full control of their Office 365 accounts, with their information to be stolen and used as apart of identity theft and fraud schemes such as Business Email Compromise (BEC).

“This places employees and their networks at considerable risk as attackers can launch internal attacks to steal more credentials and information from the organization”.

Cloud services hit by Phishing campaign

Researchers analyzed a new phishing campaign that pretends to from a help desk named “servicedesk.com” that mimics similar wording used by real IT helpdesk domains in corporate environments.

The email imitates a “quarantined mail” notification frequently sent out in workplaces by email security products and spam filters, asking the user to “release” messages stuck in the queue.

The “From:” (envelope) address in the email is listed as “noreply@servicedesk.com,” and while sender domains can easily be spoofed, the mail headers for this phishing campaign show that the email was sent through this domain.

As you can see from the email headers below, the phishing email is sent through an intermediary “cn.trackhawk.pro” domain, but the originating domain is clearly “servicedesk.com.”

In most email spoofing scenarios, a mismatch between the “From:” email domain and the domain listed in the bottommost “Received:” header is a red flag.

In this campaign, the domain “servicedesk.com” is used in the “From:” (envelope) address matches the domain listed in the last “Received:” header, making it more easily bypass spam filters.

And more importantly, lack of DMARC, DKIM and SPF validations on the “servicedesk.com” domain enable spammers to take advantage of this domain as demonstrated in these attacks.

Microsoft and IBM domains add legitimacy

Using three well-known enterprise solutions like IBM Cloud hosting, Microsoft Azure, and Microsoft Dynamics to host the phishing landing pages adds legitimacy to the campaign.

This URL then redirects the user to an IBM Cloud domain, cf.appdomain.cloud used for IBM’s Cloud Foundry deployments, to host the phishing landing page.

Entering a password of decent length and complexity, perhaps once it matches the criteria set forth by IBM Cloud, will redirect the user to another fake page confirming the settings update host on Microsoft Azures hosting domain, windows.net.

Phishing emails are an everyday nuisance for both business and personal email users but could lead to very dire consequences, including data theft and enterprise-wide ransomware attacks.

Increasing cases of phishing campaigns abusing legitimate cloud infrastructure are on the rise as they add legitimacy to the phishing attacks and provide free SSL certificates.

This increased complexity allows attackers to potentially bypass spam filters and security products, which leads to a greater need for sophisticated security systems in this never-ending game of cat and mouse.