McAfee: PowerShell threats grew 208% in Q4 2020

McAfee's latest threat report showed a sharp increase in PowerShell threats between Q3 and Q4 2020, in part due to malware known as Donoff and a rise in ransomware detections.

A new McAfee report showed troubling security trends in the third and fourth quarters of 2020, including a huge increase in PowerShell threats.

On Tuesday, the security vendor released the latest installment of its "McAfee Labs Threats Report," which tracks developing cyber attack trends around the world. Among topics covered, which include areas like COVID-19-themed attacks and ransomware, was PowerShell threats, which grew 208% between Q3 and Q4 of last year.

The report attributes the increase in part to Donoff malware, a several-year-old threat that takes the form of a malicious Microsoft Office file; the file is sometimes downloaded as an email attachment, and runs a PowerShell script in order to gain access and install further malware.

Raj Samani, chief scientist and fellow at McAfee, told SearchSecurity that Donoff spawning new processes was a major contributor to the increase. Moreover, he said that PowerShell was being used in cyber attacks as a vector for lateral movement.

"The lateral movement use of PowerShell is driving the bad guys' ability to charge $50 million for ransomware," Samani said.

PowerShell is becoming an increasingly common attack technique. Managed detection and response vendor Red Canary called PowerShell "the most common technique we observed in 2020, affecting nearly half of our customers" in its 2021 threat detection report.

Red Canary said that the framework, included by default on modern Windows versions, is used by attackers for obfuscation purposes, adding that "adversaries rely on PowerShell's versatility and ubiquitous presence on target systems, minimizing the need to additionally customize payloads."

Concerns about the risks associated with PowerShell have grown in recent years, but Samani said it's a tool with both good and bad uses, and that there are always alternate mechanisms for gaining access to an environment.

"My advice as always is, if you're going to run PowerShell -- whether you're going to or not is the risk appetite decision -- you need to have mechanisms in place to monitor its usage," he said. "You make the call as to whether you want to enable it or disable it, but just because you've got it written down on a piece of paper that says, 'Our policy is not to use X,' that doesn't mean it's not being used. Anticipate it and monitor it within your environment."

Beyond PowerShell, two other notable statistics include those related to new ransomware variants and the COVID-19 pandemic. The volume of attacks featuring new ransomware samples increased in volume 69% between Q3 and Q4 of last year, from just over 3 million attacks to 5.1 million.

As for COVID-19-related attacks, 1,224,628 McAfee-protected devices reported threats in Q4 2020, compared to 1,071,257 in Q3 and 445,922 in Q2. And according to McAfee's COVID-19 dashboard, which provides up-to-date threat detection statistics, McAfee devices detected over 10 million total pandemic-related threats between May 2, 2020, and today, April 13.

Samani called the growing presence of COVID-19-related cyberthreats is an evolution of popular spam campaigns, and said that the messaging around threats has adapted to the moment. What was originally a fake mobile app offering to take the user's temperature is now an email saying their vaccine appointment has been booked.

"Spam is always going to jump on what the latest thing is. They're not talking about the same topic we were talking about with COVID 12 months ago, but it is an evolution of that. I think they'll continue with that because it's in the press and the news, but likewise, if there's something else that happens like another, God forbid, infection or anything else, it will just switch and change," Samani said.

The threats go beyond tricking or scamming consumers. In December, IBM Security X-Force's COVID-19 threat intelligence task force reported the discovery of a phishing campaign aimed at organizations involved in the vaccine cold chain, including dry ice and thermal insulation manufacturers.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Application and platform security

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing