Search results for powershell $ | Breaking Cybersecurity News | The Hacker News

Microsoft's love for Linux continues… Microsoft has released its command-line shell and scripting language PowerShell Core for Linux operating system as a Snap package, making it easier for Linux users to install Microsoft PowerShell on their system. Yes, you heard me right. Microsoft has made PowerShell Core available to the Ubuntu Snap Store as a Snap application. PowerShell Core is a cross-platform version of Windows PowerShell that is already available for Windows, macOS, and Linux OS and has been designed for sysadmins who manage assets in hybrid clouds and heterogeneous environments. Snap is a universal Linux packaging system, built by Canonical for the Ubuntu operating system, which makes an application compatible for all major Linux distributions without requiring any modification. A Snap package is basically an application compressed together with its dependencies and also includes instructions on how to run and interact with other software on various Linu...

It is no secret that cybercriminals are becoming dramatically more adept, innovative, and stealthy with each passing day. While new forms of cybercrime are on the rise, traditional activities seem to be shifting towards more clandestine techniques that involve the exploitation of standard system tools and protocols, which are not always monitored. The latest example of such attack is DNSMessenger – a new Remote Access Trojan (RAT) that uses DNS queries to conduct malicious PowerShell commands on compromised computers – a technique that makes the RAT difficult to detect onto targeted systems. The Trojan came to the attention of Cisco's Talos threat research group by a security researcher named Simpo, who highlighted a tweet that encoded text in a PowerShell script that said 'SourceFireSux.' SourceFire is one of Cisco's corporate security products. DNSMessenger Attack Is Completely Fileless Further analysis of the malware ultimately led Talos researchers to...

'Microsoft loves Linux' and this has never been so true than now. Microsoft today made its PowerShell scripting language and command-line shell available to the open source developer community on GitHub under the permissive MIT license. The company has also launched alpha versions of PowerShell for Linux (specifically Red Hat, Ubuntu, and CentOS) and Mac OS X, in addition, of course, to Windows. Now, people can download binaries of the software, as well as access source code of the app from the new PowerShell GitHub page. "Users across Windows and Linux, current and new PowerShell users, even application developers can experience a rich interactive scripting language as well as a heterogeneous automation and configuration management that works well with your existing tools," Microsoft says in its blog post . "Your PowerShell skills are now even more marketable, and your Windows and Linux teams, who may have had to work separately, can now work toge...

Threat hunters are alerting to a new campaign that employs deceptive websites to trick unsuspecting users into executing malicious PowerShell scripts on their machines and infect them with the NetSupport RAT malware. The DomainTools Investigations (DTI) team said it identified "malicious multi-stage downloader Powershell scripts" hosted on lure websites that masquerade as Gitcode and Docusign. "These sites attempt to deceive users into copying and running an initial PowerShell script on their Windows Run command," the company said in a technical report shared with The Hacker News. "Upon doing so, the powershell script downloads another downloader script and executes on the system, which in turn retrieves additional payloads and executes them eventually installing NetSupport RAT on the infected machines." It's believed that these counterfeit sites may be propagated via social engineering attempts over email and/or social media platforms. The Po...

Active flaws in the PowerShell Gallery could be weaponized by threat actors to pull off supply chain attacks against the registry's users. "These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package," Aqua security researchers Mor Weinberger, Yakir Kadkoda, and Ilay Goldman said in a report shared with The Hacker News. Maintained by Microsoft,  PowerShell Gallery  is a  central repository  for sharing and acquiring PowerShell code, including PowerShell modules, scripts, and Desired State Configuration (DSC) resources. The registry boasts of 11,829 unique packages and 244,615 packages in total. The issues identified by the cloud security firm have to do with the service's lax policy surrounding package names, lacking protections against typosquatting attacks, as a result enabling attackers to upload malicious PowerShell modules that appear genuine to unsuspecting u...

The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems. "Malicious updates were distributed through eScan's legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally," Morphisec researcher Michael Gorelik said . MicroWorld Technologies has revealed that it detected unauthorized access to its infrastructure and immediately isolated the impacted update servers, which remained offline for over eight hours. It has also released a patch that reverts the changes introduced as part of the malicious update. Impacted organizations are recommended to contact MicroWorld Technologies to obtain the fix. It also pinned the attack as resulting from unauthorized access to one of its regional update server configurations, whi...

Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware. Though both malware campaigns appear to be a work of two separate cybercriminal groups, we find many similarities in them. Both attacks start from phishing emails containing an attached Microsoft Word document embedded with malicious macros and then uses Powershell to deliver fileless malware. Ursnif is a data-stealing malware that typically steals sensitive information from compromised computers with an ability to harvest banking credentials, browsing activities, collect keystrokes, system and process information, and deploy additional backdoors. Discovered earlier last year, GandCrab is a widespread ransomware threat that, like every other ransomware in the market, encrypts files on an infected system and insists victims to pay a ransom ...

The sophisticated malware known as ViperSoftX has been observed being distributed as eBooks over torrents. "A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime ( CLR ) to dynamically load and run PowerShell commands, thereby creating a PowerShell environment within AutoIt for operations," Trellix security researchers Mathanraj Thangaraju and Sijo Jacob said . "By utilizing CLR, ViperSoftX can seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity." Initially detected by Fortinet in 2020, ViperSoftX is known for its ability to exfiltrate sensitive information from compromised Windows hosts. Over the years, the malware has become a relevant example of threat actors continuously innovating their tactics in an attempt to stay stealthy and circumvent defenses. This is exemplified by the increas...

Microsoft 365 (M365), formerly called Office 365 (O365), is Microsoft's cloud strategy flagship product with major changes ahead, such as the deprecation of their legacy authentication protocols. Often stored on or saved to the device, Basic Authentication protocols rely on sending usernames and passwords with every request, increasing the risk of attackers capturing users' credentials, particularly if not TLS protected. Basic Authentication, while necessary for companies using legacy software, is unable to enforce MFA and is superseded by Modern Authentication. The legacy settings have been on Microsoft's radar to fix for years. In 2018,  Microsoft announced  it would introduce a series of changes — and ultimately deprecation — to its authentication controls as a means to help organizations mitigate the risk. These changes were set to take place over a number of years, and in September 2021,  they announced  that they will begin to permanently disable Basic Auth ...

Ransomware is one of the most blatant and obvious money making schemes for cybercriminals and it was most likely to be known when last year Cryptolocker ransomware targeted millions of computers worldwide. Recently, security researchers at the Antivirus firm TrendLabs have unearthed another sophisticated variant of the ransomware malware which is employing  Windows PowerShell  in an effort to encrypt files on the victims’ computer. The firm detected the variant as TROJ_POSHCODER.A . Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language. It provides full access to COM and WMI, enabling administrators to perform administrative tasks on both local and remote Windows systems as well as WS-Management and CIM enabling management of remote Linux systems and network devices. It is believed that cybercriminals have used this feature of Windows just in order...

A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. Cybersecurity company Securonix, which dubbed the campaign DEEP#GOSU, said it's likely associated with the North Korean state-sponsored group tracked as Kimsuky (aka Emerald Sleet, Springtail, or Velvet Chollima). "The malware payloads used in the  DEEP#GOSU  represent a sophisticated, multi-stage threat designed to operate stealthily on Windows systems especially from a network-monitoring standpoint," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical analysis shared with The Hacker News. "Its capabilities included keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, and persistence using both RAT software for full remote access, scheduled tasks as well as self-executing PowerShell scripts using jobs." A notable aspect of the infection proced...

A China-aligned threat actor codenamed UTA0388 has been attributed to a series of spear-phishing campaigns targeting North America, Asia, and Europe that are designed to deliver a Go-based implant known as GOVERSHELL . "The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations," Volexity said in a Wednesday report. "The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload." Since then, the threat actor behind the attacks is said to have leveraged different lures and fictional identities, spanning several languages, including English, Chinese, Japanese, French, and German. Early iterations of the campaigns have been found to embed links to phishing content either hosted on a cloud-based service or their own infrastruc...

Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates. French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma. Hijack Loader , also known as DOILoader, IDAT Loader, and SHADOWLADDER, first came to light in September 2023. Attack chains involving the malware loader typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies. Recent variations of these campaigns have been found to direct users to fake CAPTCHA pages that urge site visitors to prove they are human by copying and running an encoded PowerShell command that drops the malicious payload in the form of a ZIP archive. HarfangLab said it observed three different versions of the PowerShell script starting mid-September 2024 - A PowerShell script ...

Cybersecurity researchers have disclosed details of a new campaign that combines ClickFix -style fake CAPTCHAs with a signed Microsoft Application Virtualization ( App-V ) script to distribute an information stealer called Amatera . "Instead of launching PowerShell directly, the attacker uses this script to control how execution begins and to avoid more common, easily recognized execution paths," Blackpoint researchers Jack Patrick and Sam Decker said in a report published last week. In doing so, the idea is to transform the App-V script into a living-off-the-land (LotL) binary that proxies the execution of PowerShell through a trusted Microsoft component to conceal the malicious activity. The starting point of the attack is a fake CAPTCHA verification prompt that seeks to trick users into pasting and executing a malicious command on the Windows Run dialog. But here is where the attack diverges from traditional ClickFix attacks. The supplied command, rather than invokin...