Windows PowerShell Could Allow Viruses to Infiltrate Undetected
Whenever a Windows tool has elevated access to a computer, someone is hot on the trail, trying to find a way to exploit it to run malware on other users' systems.
But what is PowerShell and how can it be abused?
What is PowerShell on Windows?
Windows PowerShell is an advanced configuration and automation tool. You can use it to execute commands to tweak your system or run automated scripts that perform complex tasks for you.
Because PowerShell has system permissions to change important settings on your PC or run system-sensitive scripts, bad guys will find ways to get it to execute malicious code. But before we get into how it can be abused, it's important to note that PowerShell itself isn't a malicious application. It's a core part of Windows that can't be disabled.
What makes PowerShell so dangerous?
When a bad actor wants to abuse PowerShell, they typically do one of two things: Trick people into executing malicious code in PowerShell or create a file that runs a malicious script when opened.
Malicious actors convince people to run commands
First, let's look at when a malicious actor tricks someone into running a PowerShell command. This tactic typically involves scaring the victim into believing they need to run a PowerShell command to fix a non-existent problem.
One such tactic, The Register reports, involves bad actors hacking into legitimate websites and modifying them to display fake error messages. The error says that something is wrong with the user's copy of Windows, Google Chrome, Office, or OneDrive. To fix the "problem," the fake error tells the user to run a PowerShell command to fix the problem.
Of course, the provided code doesn't fix anything. Instead, it tells PowerShell to connect to a server, download a malicious executable from an external server, and run it. One instance of this attack used PowerShell to download a dropper, which then downloaded five other strains of malware onto the target PC.
Another variation of this 'user-triggered' PowerShell attack has been spotted being sent via email. The email includes an HTML file designed to look like Microsoft Word. When opened, it claims that it cannot display information in the Word document because an extension has stopped working. The user is then asked to copy-paste malicious code into PowerShell to fix the error or download a malicious file that does the job for the attacker.
Malicious file uses PowerShell to run fileless malware
A scarier version of the PowerShell attack uses fileless malware to attack the target. This uses PowerShell to perform malicious tasks without downloading any files to the victim's PC. If the malware doesn't download any files, it prevents antivirus software from detecting it, making it difficult to find and remove.
This attack method often disguises the LNK file containing the malicious script as another file. In the illegal movie example, the LNK file was modified to look like a video file to trick people into running it.
How to Avoid PowerShell Attacks
The problem with taking steps to avoid PowerShell attacks is that there are legitimate fixes that require you to type commands into PowerShell, so before you type a command, you should take your time and consider how trustworthy the source is.
If you are looking for a fix and find a reputable and trustworthy website that says you should use a command, then you can run that command. If that command comes to you from a fake error message designed to scare you, then it will cause damage.
If you see a command and aren't sure what it does, try searching for it online. If it's useful, you'll see results from other people recommending it. If you don't find anything (or even see someone reporting it as malicious), then it's probably not a good idea to run it.
If you accidentally fall victim to a PowerShell attack, you can try to find the best antivirus programs to remove the malware. However, as mentioned earlier, PowerShell attacks will do their best to stay undetected. If you notice anything unusual after running a PowerShell command, it is best to reinstall your operating system to ensure everything is clean.
PowerShell is a handy tool that gives you advanced control over your PC. However, some bad guys try to trick people into using it for the wrong purposes. Fortunately, if you stay alert, you can avoid being attacked.
You should read it
- About PowerShell
- How to install PowerShell 7.0 in Windows 10/8/7
- What is PowerShell Basic commands in PowerShell
- Use PowerShell to download any file on Windows 10
- PowerShell command in Windows
- How to use PowerShell's default parameter to change the command behavior
- How to check PowerShell version in Windows 10
- Instructions on how to use PowerShell in Windows Server 2012
- What is Windows PowerShell? How to use Windows PowerShell
- What to do when Windows can't find PowerShell?
- PowerShell and everything you need to know about it
- Now you can run PowerShell on both Linux and macOS
Maybe you are interested
Should I use PowerShell or Command Prompt?
This PowerShell script can bypass Windows 11 system requirements, Microsoft Account
PowerShell and everything you need to know about it
How to copy, delete, move, rename files/folders using PowerShell on Windows PC
What is Windows PowerShell? How to use Windows PowerShell
How to Enable and Use Script Execution Policy in Windows PowerShell