Windows PowerShell Could Allow Viruses to Infiltrate Undetected

Whenever a Windows tool has elevated access to a computer, someone is hot on the trail, trying to find a way to exploit it to run malware on other users' systems.

But what is PowerShell and how can it be abused?

What is PowerShell on Windows?

Windows PowerShell Could Allow Viruses to Infiltrate Undetected Picture 1

Windows PowerShell is an advanced configuration and automation tool. You can use it to execute commands to tweak your system or run automated scripts that perform complex tasks for you.

Because PowerShell has system permissions to change important settings on your PC or run system-sensitive scripts, bad guys will find ways to get it to execute malicious code. But before we get into how it can be abused, it's important to note that PowerShell itself isn't a malicious application. It's a core part of Windows that can't be disabled.

What makes PowerShell so dangerous?

Windows PowerShell Could Allow Viruses to Infiltrate Undetected Picture 2

When a bad actor wants to abuse PowerShell, they typically do one of two things: Trick people into executing malicious code in PowerShell or create a file that runs a malicious script when opened.

Malicious actors convince people to run commands

First, let's look at when a malicious actor tricks someone into running a PowerShell command. This tactic typically involves scaring the victim into believing they need to run a PowerShell command to fix a non-existent problem.

One such tactic, The Register reports, involves bad actors hacking into legitimate websites and modifying them to display fake error messages. The error says that something is wrong with the user's copy of Windows, Google Chrome, Office, or OneDrive. To fix the "problem," the fake error tells the user to run a PowerShell command to fix the problem.

Of course, the provided code doesn't fix anything. Instead, it tells PowerShell to connect to a server, download a malicious executable from an external server, and run it. One instance of this attack used PowerShell to download a dropper, which then downloaded five other strains of malware onto the target PC.

Another variation of this 'user-triggered' PowerShell attack has been spotted being sent via email. The email includes an HTML file designed to look like Microsoft Word. When opened, it claims that it cannot display information in the Word document because an extension has stopped working. The user is then asked to copy-paste malicious code into PowerShell to fix the error or download a malicious file that does the job for the attacker.

Malicious file uses PowerShell to run fileless malware

A scarier version of the PowerShell attack uses fileless malware to attack the target. This uses PowerShell to perform malicious tasks without downloading any files to the victim's PC. If the malware doesn't download any files, it prevents antivirus software from detecting it, making it difficult to find and remove.

This attack method often disguises the LNK file containing the malicious script as another file. In the illegal movie example, the LNK file was modified to look like a video file to trick people into running it.

How to Avoid PowerShell Attacks

The problem with taking steps to avoid PowerShell attacks is that there are legitimate fixes that require you to type commands into PowerShell, so before you type a command, you should take your time and consider how trustworthy the source is.

If you are looking for a fix and find a reputable and trustworthy website that says you should use a command, then you can run that command. If that command comes to you from a fake error message designed to scare you, then it will cause damage.

If you see a command and aren't sure what it does, try searching for it online. If it's useful, you'll see results from other people recommending it. If you don't find anything (or even see someone reporting it as malicious), then it's probably not a good idea to run it.

If you accidentally fall victim to a PowerShell attack, you can try to find the best antivirus programs to remove the malware. However, as mentioned earlier, PowerShell attacks will do their best to stay undetected. If you notice anything unusual after running a PowerShell command, it is best to reinstall your operating system to ensure everything is clean.

PowerShell is a handy tool that gives you advanced control over your PC. However, some bad guys try to trick people into using it for the wrong purposes. Fortunately, if you stay alert, you can avoid being attacked.

Micah Soto

Update 26 September 2024