Fresh from the cyberwar battle field...
Security researchers from ESET have analyzed several PowerShell scripts used by the Russia-linked Turla threat group in recent attacks.
Operating since at least 2008, the group is also known as Snake, Waterbug, KRYPTON and Venomous Bear, and has attacked various diplomatic organizations, including the U.S. military, the German Foreign Office, and the French military.
The group recently began using PowerShell scripts for the in-memory loading and execution of malware in an effort to bypass detection. Previously observed using a loader based on the open-source project Posh-SecMod, Turla has perfected their PowerShell scripts, ESET says.
The security researchers observed the hacking group using these scripts in attacks targeting diplomatic entities in Eastern Europe, but they likely used the tools against traditional targets in Western Europe and the Middle East as well.
The group’s PowerShell loader was designed to achieve persistence, decrypt code, and load into memory the embedded executable or library.
For persistence, Turla uses a Windows Management Instrumentation (WMI) event subscription or alteration of the PowerShell profile, the researchers explain.
#share2steem #hackers #powershell #research #infosec
External Link : https://www.securityweek.com/researchers-dissect-powershell-scripts-used-russia-linked-hackers
