Jump to content

Recommended Posts

https://zeltser.com/fileless-malware-beyond-buzzword/

Quote

In contrast, a reasonable alternative to the term fileless malware was introduced by Carbon Black in its 2016 Threat Report. The report used the phrase non-malware attacks. Writing on the company’s blog a few months later, Michael Viscuso explained the meaning of this term like this:

“A non-malware attack is one in which an attacker uses existing software, allowed applications and authorized protocols to carry out malicious activities. Non-malware attacks are capable of gaining control of computers without downloading any malicious files, hence the name. Non-malware attacks are also referred to as fileless, memory-based or ‘living-off-the-land’ attacks.”

Gartner used the term “non-malware attack” in a 2017 report that highlighted Carbon Black. However, another Gartner report published a month later used “fileless attacks” instead.

Why Does It Matter?

I like the idea of saying “non-malware attacks” for incidents that rely solely on legitimate system administration tools and other non-malicious software. This is the scenario that some people describe as living-off-the-land. In contrast, I might prefer to say “memory-only malware” if I need to point out that malicious code is never saved to disk, perhaps because it was injected into another process. I’m even OK with saying “fileless malware” when bringing focus on persistence mechanisms that avoid placing traditional executables on the file system.

Unfortunately, nowadays the terminology has been commingled, and we’re probably stuck with the term “fileless malware” to describe the various scenarios outlined above, despite the term’s ambiguity. Alas, human language is imprecise and always-evolving. (If we all spoke C#, perhaps the world would be a better place.)

I care about this terminology because I’m trying to avoid buzzwords and empty phrases when describing the capabilities of the anti-malware product for which I’m responsible at Minerva. It runs alongside other endpoint security tools and blocks all sorts of sneaky malware, regardless whether its payload touches disk. I’m often asked how we handle fileless malware; I decided to perform the research above to better understand how and when I should use this term.

https://www.minerva-labs.com/

 

Link to post
Share on other sites

It can be seen as another form of exploit, yes, however these aren't new and have been around for a while. Any "malware" that uses legitimate Windows files such as PowerShell.exe, cmd.exe, etc. and "live in memory" can be seen as "non-malware attacks". I guess this is because malware means "malicious software", and "software" such as PowerShell aren't malicious, they are legitimate, but they can be used to infect a system.

Link to post
Share on other sites

They're only difficult to detect if the protection being used relies solely on analyzing binaries.  Protections that use behavioral detection/prevention capabilities shouldn't be fooled by these tactics.  I do not know about all of the possible vectors, but I know that at least a good portion of them would set off our exploit protection, thus thwarting the attack.  That said, for ones that strictly use a script file like a .bat or .vbs might not trigger our exploit protection, but tricking a user into manually running one of those isn't so easy these days, especially since, unlike with PE files, you can't change the icons of those filetypes to mislead the user.  I have seen some that will use an exploited document like a PDF or Word doc to download/run such a script, but that in itself would trigger exploit protection as would scripting through a web browser.

Link to post
Share on other sites

here is a rather disturbing report http://www.darkreading.com/vulnerabilities---threats/fileless-malware-takes-2016-by-storm/d/d-id/1327796

 

Quote

Fileless malware is not a revolutionary approach, but 2016 certainly saw a dramatic rise in this type of attack as the criminals worked to perfect it. Areport out earlier this month from Carbon Black says that researchers have found that in the last quarter of 2016, there was a 33% rise in severe non-malware attacks compared to first quarter. The firm reported that over a 90-day period, about one-third of organizations are likely to encounter at least one severe fileless attack.

 

https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/

Quote

Non-Malware Attack Example

Non-malware attacks leverage a robust suite of tactics and techniques to penetrate systems and steal data without using malware at all. They have grown in prevalence in recent years as attackers have developed ways to launch these attacks at large scale.

Let’s take a look at an example attack:

Non_Malware_Attack.jpg

  1. A user visits a website using Firefox, perhaps driven there from a cleverly disguised spam message.
  2. On this page, Flash is loaded. Flash  is a common attack vector due to its seemingly never-ending set of vulnerabilities.
  3. Flash invokes PowerShell, an OS tool that exists on every Windows machine, and feeds it instructions through the command line — all operating in memory.
  4. PowerShell connects to a stealth command and control server, where it downloads a malicious PowerShell script that finds sensitive data and sends it to the attacker This attack never downloads any malware.
Quote

Streaming Prevention: A New Approach to Endpoint Protection

Streaming prevention offers a fundamentally new approach to identifying and preventing cyberattacks. Current approaches used by legacy AV and machine-learning AV focus exclusively on files and do nothing to target an attacker’s behaviors.

In contrast to legacy AV and machine-learning AV, streaming prevention monitors the activity of applications and services, including communications between processes, inbound and outbound network traffic, unauthorized requests to run applications, and changes to credentials or permission levels.

Streaming prevention doesn’t just monitor individual events on an endpoint; it monitors and analyzes the relationships among events.

Streaming_Prevention_NGAV_CB.jpg

Sticking with the example above, browsing the web, running Flash and invoking PowerShell are each, in their own right, viable and necessary events, but what about when they appear as a cluster of events? It’s simply not normal behavior and, as such, can be tagged, flagged and automatically shut down by streaming prevention before the attacker can carry out objectives.

_________________________________________________

 

Link to post
Share on other sites

Once again, nothing new here. It's true that there's been more of these infection in the last 2 years or so (since 2015-2016), but decent Anti-Exploit programs (like Malwarebytes and Malwarebytes Anti-Exploit Beta) are able to detect and block these.

Link to post
Share on other sites

If existing tools can mitigate the risks, why so much outcry by the security experts (even Kaspersky, Symantec etc.) on this?.. why endpoint protection is said to be found wanting and the rise in infection of banks/financial crimes as per https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/

Quote

A rash of invisible, fileless malware is infecting banks around the globe

Once the province of nation-sponsored hackers, in-memory malware goes mainstream.

DAN GOODIN - 2/8/2017, 2:31 PM

Quote

Now, fileless malware is going mainstream, as financially motivated criminal hackers mimic their nation-sponsored counterparts. According to research Kaspersky Lab plans to publish Wednesday, networks belonging to at least 140 banks and other enterprises have been infected by malware that relies on the same in-memory design to remain nearly invisible. Because infections are so hard to spot, the actual number is likely much higher. Another trait that makes the infections hard to detect is the use of legitimate and widely used system administrative and security tools—including PowerShell, Metasploit, and Mimikatz—to inject the malware into computer memory.

https://threatpost.com/hard-target-fileless-malware/125054/

Quote

Fileless is The Future

Concerns have triggered numerous warnings from cybersecurity organizations including one in October from the Department of Homeland Security and one in March from the New Jersey Cybersecurity and Communications Integration Cell. The NJCCIC cautioned:

“The NJCCIC assesses with high confidence that fileless and ‘non-malware’ intrusion tactics pose high risk to organizations, both public and private, and will be increasingly employed by capable threat actors intent on stealing data or establishing persistence on networks to support ongoing espionage objectives or to enable future acts of sabotage.”

When it comes to attribution, a number of threat actors’ names are commonly associated with these types of attacks. Cybercriminal and nation-state operations such as Carbanak, Duqu and FIN7 have each been suspected in memory-based malware attacks.

Last month, researchers at Morphisec released a report stating FIN7 was behind several recent incidents. One was a high-profile attack that used fileless malware targeting professionals affiliated with United States Securities and Exchange Commission filings. Kaspersky Lab said attackers who targeted 140 banks and enterprises were likely connected to the GCMAN and Carbanak groups. But, Epstein said, a wide range of less organized and less sophisticated threat actors are now leveraging fileless malware attacks.

Mitigation against these threats will take new tools and a shift in end-user awareness, Brumaghin said. For starters, security experts say disabling the use of PowerShell on networks is a good start. They also recommend monitoring more closely outbound traffic and tracing it back to applications making those requests. If Windows Notepad or Calculator are making network connections, you might have a problem, experts say.

“From the malware author side, we are expecting to see more advanced attacks,” said Mordechai Guri, chief security officer at Morphisec. “We will see more advanced obfuscation, polymorphism and injection techniques, that evade such a potential monitoring and detection.”

 

Link to post
Share on other sites

I have seen many bank ATMs that (when they crash) show that they run XP.  Banks are often slack in their protection, because their upgrades are tens of thousands of computers.  That's not an insignificant amount of resources required.

Link to post
Share on other sites

But protection compromise would only be invitation for more trouble, as businesses bound to suffer what with client compensation that could cripple them and here in this threat scenario, it's not about ATM's but about Banking setup's being hit..(which is the disturbing fact)..

Edited by sman
Link to post
Share on other sites

Quote

why so much outcry by the security experts (even Kaspersky, Symantec etc.) on this?.. why endpoint protection is said to be found wanting and the rise in infection of banks/financial crimes

It's the same thing with Ransomware. Ransomware were already a thing before CryptoLocker, but it took a massive campaign for the world to notice that "new" threat.

Link to post
Share on other sites

Unfortunately many Point Of Sale (POS) systems, bank ATMs and other machines used for financial transactions are still outdated.  I see them all the time still running XP as mentioned above and I still see a few every once in a while still running Windows 2000.

As for why all the noise, look at the majority of major AVs.  The last time I checked, most don't have robust exploit detection/prevention technology.  That's why you still see so many articles about exploits recommending MBAE/Malwarebytes 3 as well as EMET and HitmanPro.Alert because the exploit protection provided by most AVs just isn't cutting it.  They still seem more concerned with detecting binaries and doing well on synthetic tests, which seldom ever test against live/in the wild exploits.

Link to post
Share on other sites

But if it's to do with sticking to XP, why the reports/articles referred hav'nt said so??.. 

Quote

Using Good Tools for Bad Purposes

Attackers can also get more aggressive and turn to other forensic and penetration-testing tools such as Metasploit or Mimikatz, that allow you to either inject code into system memory or read data stored in memory. These open-source tools, along with others such as Lazagne, and Meterpreter, allow attackers to probe deeper into targeted systems, steal credentials and open reverse shells back to the adversary’s control server.

Would like to see the blocking of these exploit kits, to see the effectiveness.. It is not that exploit tools are not embraced by AV's.. Norton , Eset etc. come with exploit protection too (which caused compatibility issues during MBAE testing phase).. 

Link to post
Share on other sites

  • 5 weeks later...

As I pointed that it's not abt. XP being targeted but even other versions as in http://www.removemalwarevirus.com/learn-easy-solution-to-remove-fileless-malware-quickly

 

Quote

nformation About Fileless Malware

Fileless Malware is basically a stubborn Trojan infection that has been reported more enhanced and improved as compared to it's predecessors. Now as from the threat name it simply reflects that this infection do not makes usage of any types of files in carrying out the infection procedure. Being compatible with almost all the versions of Windows OS i.e., Windows XP/Vista/7/8/19, this infection makes it's existence only in the memory instead of that of the compromised system's hard drive. It is scripted directly into the RAM. Moreover this code is invaded into several executing processes including iexplore.exe or javaw.exe, which is further then utilized for the exploit.

So, when Banks are targeted and hit, it is a serious concern on not only abt. Banking dealings but abt vulnerability of systems in general to such attacks ..

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.