Malware Uses Less Suspicious File Types
According to security experts, PowerShell is a scripting language for automating administration tasks in the Windows system. In the past, this scripting language has been abused to download malware. Some malware programs are even entirely written in PowerShell.
In the recent email-based malware distribution campaign seen by Microsoft, the malicious LNK files included a PowerShell script that has the role to perform an automatic malicious action. The script is downloading and installing the Kovter click fraud Trojan without the user's knowledge. The Locky ransomware has been distributed in the past by using the same technique.
Security researchers from Intel Security warned on Thursday, Feb. 2, that PowerShell can also be used to launch directly the malicious code into memory in so-called fileless attacks. The particularity of this type of attacks is that nothing is saved to disk, so the attack is very difficult to detect by the endpoint security products.
The Intel Security researchers said that even if PowerShell execution policies are set to "Restricted," users are still not protected from fileless malware. Attackers can easily bypass these policies. As consequence, the malicious scripts are allowed to run.
Measures To Limit Email Malware Proliferation
Email file attachments are common vectors for malware, as reported by Symantec. Exposure to risk can be limited by blocking certain common file types/extensions. However, at the expense of limiting exposure to possibly malicious files, blocking any of these files extensions will also block some valid files. Different means that email can be used to share or transfer these types of files in cases where blocked file types need to be shared.
Most mail security products have facilities to block these types of files by files extension, regardless of which product is being used. However, in this scenario, if a file is renamed it will not be blocked. Only a few mail security products can also block by the "true file type" even if it has been renamed.