One (S)hell of a Threat: Gateway to Other Platforms

Michael Jay Villanueva & John Kevin R. Sanchez, Trend Micro

We have already seen in the past how PowerShell was used by cybercriminals in most attacks, mainly in delivering banking trojans, backdoors, ransomware, cryptominers, and most recently, the fileless malware and malicious WMI entries. Many malware creators have already realized the framework’s flexibility by incorporating PowerShell in exploits, lateral movement within the compromised network, and for persistence.

In what could be perceived as a game changer, Microsoft recently announced the general availability of PowerShell Core, a cross-platform and open-source edition of the PowerShell. With more platforms open for attacks, it is no surprise that cybercriminals would eventually attempt to take advantage of the multiplatform characteristic of the PowerShell Core to breach their way into non-Windows users. While it may work differently on other platforms, there remains lot of possibilities on how they could attack other platforms especially considering that Microsoft also provided comparison of its functionalities to previous PowerShell versions.

This study aims to be one step ahead by exploring the possible strategies these malware creators could devise to invoke their attacks in other platforms. We would also explore on other PowerShell Core functionalities that could be used for attacks on specific platforms. This could help us provide preemptive solutions to protect users and organizations for the next wave of attacks that might involve PowerShell Core.

Michael Jay Villanueva

Michael Jay Villanueva started out his career in Trend Micro in 2015. He works as a threat analyst and researcher under the Core Technology team. During his career, he was able to analyze different threats, create malware reports and clean-up patterns for customers. He also contributes write-ups to TrendLabs Security Intelligence blog. Currently, he is focused in handling deep and wide malware analysis, as well as conducting research for noteworthy/emerging threats. Prior to that, he is a Magna Cum Laude graduate of AMA Computer College from where he holds a Bachelor of Science degree in Computer Science. He loves to sing and play different musical instruments like guitar and drums. He also loves traveling and playing computer games.

John Kevin R. Sanchez

John Kevin Sanchez is a Threat Research Engineer and a part of Trend Micro’s Core Tech team since 2016. He received his bachelor’s degree in Applied Physics from the University of the Philippines Diliman. His tasks included creation of malware reports from analysis of malicious samples. He is also capable of analyzing product logs and providing damage cleanup and behavioral monitoring patterns to infected customers. He also contributes write-ups for TrendLabs Security Intelligence blogs. He is an avid sports fan most especially basketball. He enjoys playing video games and watching TV series and movies in his spare time.

The Dynamic Security Ecosystem
Other Topics