Evasion techniques are used by cybercriminals to evade detection, and they are especially prevalent in the context of scripts, which on their own have legitimate uses (e.g., to automate processes on a computer system). Unfortunately, scripts can also be used for malicious purposes, and malicious scripts are unlikely to be detected or blocked by the average antimalware solution. That’s why cybercriminals are turning to script-based attacks and other evasive malware – like Emotet – more often than ever before.
While Emotet is one example of threat that uses scripts as part of its evasive strategy, there are many other types of script-based evasion techniques organizations need to be aware of to keep their systems secure.
Living off the Land Binaries (“LoLBins”) are default applications already present on a Windows system, which can be misused by cybercriminals to carry out common steps of an attack without having to download additional tools onto the target system. For example, criminals can use LoLBins to create post-reboot persistency, access networked devices, bypass user access controls, and even extract passwords and other sensitive information.
There are dozens of LoLBins native to the Windows OS that criminals can use, e.g., powershell.exe, certutil.exe, regsvr32.exe, and many more. This is one of the ways cyber criminals disguise their activities, because default OS applications are unlikely to be flagged or blocked by an antimalware solution. Unless you have strong visibility into the exact commands that these processes are executing, it can be very hard to detect malicious behavior originating from LoLBins.
Script content obfuscation
Content “obfuscation” hides the true behavior of a script. While obfuscation also has legitimate purposes, in the context of an evasive attack obfuscation makes it difficult to analyze the true nature of a script. The screenshots show an example of obfuscated code (top), with its de-obfuscated version (bottom).
Fileless and evasive execution
With scripts, it’s possible to execute actions on a system without needing a file. A script can be written to allocate memory on the system, then write shellcode to that memory and pass control to that memory. This means the malicious functions are carried out in memory, without a file, making the detection of the origin of the infection and stopping it extremely difficult.
However, with fileless execution, memory gets cleared when the computer is rebooted. That means a fileless infection’s execution could be stopped just by restarting the system.
Unsurprisingly, cybercriminals are always working on new methods to ensure persistence even when using fileless threats. Some examples include storing scripts in Scheduled Tasks, LNK files and the Windows Registry.
How to stay protected
The good news is that the Windows 10 operating system now includes Microsoft’s Anti-Malware Scan Interface (AMSI) to help combat the growing use of malicious and obfuscated scripts. This means one of the first things you can do to help keep your organization safe is to ensure all Windows devices are on the most up-to-date OS version.
In addition, there are several other steps that can help ensure an effective and resilient cybersecurity strategy:
- Keep all applications up to date – Outdated software may contain vulnerabilities criminals are looking to exploit. Check all Windows and third-party apps regularly for updates to lower your risk
- Disable macros and script interpreters – While macros have legitimate applications, most home or business users are unlikely to need them. If a file you or another employee downloaded instructs you to enable macros to view it, don’t do it. This is another common evasive tactic that cybercriminals use to get malware onto your system. IT admins should ensure macros and script interpreters are fully disabled to help prevent script-based attacks
- Remove unused third-party apps – Applications such as Python and Java are often unnecessary. If present and unused, simply remove them to help close a number of potential security gaps
- Educate end users – Cybercriminals specifically design attacks to take advantage of end users’ trust, naiveté, fear and general lack of technical or security expertise. Educating end users on the risks of cyber-attacks, how to avoid them, and when and how to report them to IT personnel can drastically improve the business’ overall security posture and its cyber resilience
- Use endpoint security that provides multiple layers of protections from threats, including file-based, fileless, obfuscated, and encrypted threats.
While relentless innovation and creativity by hackers has made evasive tactics common, understanding the framework in which their tactics operate allows cybersecurity and IT professionals to design more effective defenses against even the most persistent attacker. Combined with a culture of cyber resilience that focuses on total network, endpoint and user protection, as well as data recovery for customers, businesses can bounce back from any threat.