Abusing PowerShell to deliver malware isn’t new; it’s actually a prevalent technique that many fileless threats use. We regularly encounter these kinds of threats, and Trend Micro behavior monitoring technology proactively detects and blocks them. We have smart patterns, for instance, that actively detect scheduled tasks created by malicious PowerShell scripts. We also have network rules that detect, for example, indications of activities like Server Message Block (SMB) vulnerabilities being exploited, potential brute-force attempts, and illicit cryptocurrency mining-related communications.
With that said, a sudden spike of these activities is unusual to us. Feedback from our Smart Protection Network™ revealed that this recent wave of attacks were mostly targeting China-based systems. The attacks, which are still ongoing, were first observed on May 17; the attacks peaked on May 22 and has since steadied.Read More