Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Fileless MalwareThe Stealth Attacker
Threat Bulletin
October 2018
Threat Bulletin
www.allot.com See. Control. Secure.
Fileless Malware - The Stealth Attacker
Fileless malware (FM), aka “non-malware”, or “fileless infection”, is a form of malicious computer
attack that exists exclusively within the realm of volatile data storage components such as RAM,
in-memory processes, and service areas This differentiates this form of malware from the classic
memory-resident virus, which requires some contact with permanent storage media such as a hard
disk drive or a disk on key.
Normally picked up following visits to malicious websites, fileless malware does not exist as a file
that can be picked up by standard antivirus programs. It lurks within a computer’s memory banks
and is exceptionally difficult to identify. However, to the upside, this type of malware rarely survives
a computer reboot, after which the computer should work as it did prior to infection. However,
new variants of this sneaky form of malware attack are now increasingly able to attach themselves
to binary files and scripts or implant themselves in an operating system’s registry where they can
sometimes survive a hard reset. FM normally finds its way into target systems using standard
Windows applications such as Microsoft PowerShell, which can enable hackers to access Windows
components undetected. 70 percent of attacks identified by Kaspersky Lab originated from
PowerShell scripts. As the attacks are launched through trusted components, then this complicates
the process of their detection and mitigation.
The Ponemon Institute, an organization that, amongst a range of other activities, evaluates online
threats and their financial impact, specified FM attacks as one of the most successful forms of
malware attack on global institutions. Kaspersky Lab found over 140 government, telecom, and
financial institutions across 40 countries had been infected by this form of malware attack.
Fileless Malware Variants
One fileless malware variant is called CactusTorch, which can
execute custom shell codes on Windows to deliver its payload.
This FM uses DotNetToJScript, which delivers a malicious payload
as JavaScript instead of compiling it into .EXE or .DLL files. The
generated .NET assemblies are embedded in JavaScript, which
makes them harder to detect using standard antivirus programs.
As with other FM, CactusTorch is loaded into memory at run
time, which bypasses most malware detection. CactusTorch has
now morphed into a further 30 variants.
Another FM called PowerGhost uses a range of fileless
management techniques to avoid detection and is designed to
hijack corporate resources to mine cryptocurrencies. During the
infection process, a one-line PowerShell code is uploaded that
installs the mining program.
Gold Dragon is yet another FM that was created to coincide with
the 2018 winter Olympics in South Korea. Written in Korean, it
formed a second-stage payload in the Olympics attack providing
a stronger persistence mechanism that was supplied by the initial
PowerShell implant itself. Gold Dragon also contained a key
generation algorithm that encrypted the data gathered during
the attack.
Of course, the simplest FM attacks of all are those generated
by the targets themselves, such as malware attached to macro
scripts. For example, both Microsoft Word and Excel each
contain the facility to incorporate labor-saving macros that can
open the PowerShell command and lead to a Trojan installation.
Social Engineering
One of the most common ways that hackers can lure their
targets into FM traps is through social engineering. This involves
observing target behavior on social media to determining the
interests, hobbies, and passions of their “marks”. Techniques used
to gather this information include phishing, malvertisements, and
watering holes.
Education is the best way to mitigate and minimize the likelihood
of malware attack through social engineering channels.
Employees and consumers must become aware of the risks of
exposing information about themselves on social media that can
then be used to hook a target and lure them into a malware trap.
Fileless Malware Mitigation
As nothing is normally written to a computer’s hard disk during
an FM attack, standard, signature-based antivirus programs
are normally ineffective. So, what is the best way to mitigate
against FM attacks if, on the surface they appear to be executing
legitimate computer instructions? The simplest way to avoid
the upload of this type of malware is to avoid clicking on the
links that install the malicious code. Of course, this is not always
possible, particularly when this malware is uploaded from
legitimate-looking websites. Furthermore, hackers are often
adept at redirecting their targets to illegitimate web locations
that are virtual copies of legal websites.
Threat Bulletin
www.allot.com See. Control. Secure.
Multi-Layer Security
As FM is difficult to detect using standard antivirus packages,
and it is hard to remove even if it is located, multi-level security
provides a robust method of defending against memory-resident
malware. This approach is increasingly deployed due to the
expansion of corporate network perimeters as the growing use
of mobile, IoT, and cloud technology make traditional antivirus
protection ineffective.
Multi-layer defense involves applying security measures
across all of an enterprise’s technology platforms. As an
example, the smartphone layer would include the following
security measures:
o Prevent modified operating systems from booting
o Kernel integrity monitoring
o Isolated execution of co-processors
o Drive encryption
o Secure storage
Similar defenses should be established across other layers of
an organization’s technology infrastructure to include:
o Firewall management
o Email protection
o Web gateways
o Micro data segmentation
In addition to going multi-layer, enterprises must also get
predictive. Potential FM attacks can be mitigated by monitoring
suspicious network behavior. For example, configuring IP
numbers to extract those emanating from unusual or irregular
geographical areas can flag those connections and potentially
block access.
Artificial intelligence (AI) systems are probably the way that the
next generation of antivirus programs will develop in the future.
AI can identify “normal” network behavior and determine if
anomalies occur. Such solutions must be able to isolate individual
endpoints in a network and prevent any infection from spreading
throughout the system.
However, there are other, more effective measures that
companies, and consumers can take to avoid painful FM attacks.
These include the following:
o Patching operating systems as frequently as recommended
by manufacturers
o Implementing a process of “least privilege” and PowerShell
logging
o Instituting regular network behavior analysis including the
monitoring of computer process logging for unusual activity
o Disabling unnecessary macros in Windows programs such
as Excel, PowerPoint, and Word
o Computer service monitoring to spot any unusual service
creation
Rapid Response
FM runs in RAM even after programs such as web browsers are
closed, which sets up a hacker’s command and control channel
ready for the upload of their malicious payloads. While a regular
PC system reboot would normally remove the FM, the malware
may persist on mobile devices that are not normally powered
down. Early FM used a download program to install the malicious
code, but now FM exploit kits such as Angler can enable even
inexperienced hackers to implant FM code easily.
Due to the increasingly sophisticated nature of FM attacks, it is
essential that this type of cyber infiltration is identified rapidly
and blocked. One of the most efficient ways of identifying FM
attacks is network monitoring that can detect suspicious traffic
and connections to malicious sites. To meet this purpose, some
antivirus programs now include more behavioral or heuristic
detection methods in their products.
While PowerShell and other scripting programs are launched
as regular, legitimate applications, they can be detected by
monitoring services that scan registry entries. Memory analysis
tools can also be deployed to detect and analyze malware and
provide alerts and recommendations.
Threat Bulletin
www.allot.com See. Control. Secure.
Conclusion
Fileless malware attacks have increased in number and sophistication since the start of 2017. The Ponemon Institute states that
seven out of ten organizations in a 2017 poll reported significant increase in endpoint security risk, with 77% of successful attacks
utilizing fileless techniques. The same report confirmed that traditional antivirus solutions have become ineffective with four out of
five organizations dissatisfied with their existing antivirus packages. Endpoint solutions are increasingly deployed as organizations turn
their focus from network solutions to a multi-layered security approach. Organizations in the Ponemon survey also confirmed that
traditional network security is not only ineffective, it is also difficult and expensive to manage.
Despite the risks posed by FM, steps to mitigate against the threat are relatively simple and inexpensive. The education of home
consumers and company employees is certainly one of the most effective ways of reducing the chance of FM infection, and campaigns
that spread the message of the risk from this type of malware should be enhanced.
Threat Bulletin
www.allot.com See. Control. Secure.
Are you concerned about fileless malware attacks?
Allot’s NetworkSecure and HomeSecure products can assist.
Contact Allot »