High
Researchers have analyzed two samples of script-based malware. Both sample were distributed by exploiting CVE-2019-0752, an Internet Explorer RCE vulnerability. Specifically, the exploit is used to to execute PowerShell commands to download the malicious scripts. The first sample is an obfuscated JavaScript file that contains two packed pieces of JavaScript code. The first piece of code is saved to a registry key while the second piece is saved to a JSE file, the path to which is saved in a Registry Run key. The saved JSE file is then executed and the initial JavaScript file is deleted. The JSE file is responsible for running the code that was saved to a Registry key by the first script. This code in turn establishes a connection to the C2 server and processes any commands returned by the server. With this C2 connection, attackers can execute commands, download files, terminate the current process, and reboot or shut down the system. The second script-based malware sample analyzed by Palo Alto is a compiled AutoIT script. It simply acts as a downloader for additional payloads, which could be any variety of malware, such as ransomware, spyware, or RATs.
Persistence on the target system