Vulnerabilities / Threats

2/14/2018
10:30 AM
Itay Glick
Itay Glick
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Fileless Malware: Not Just a Threat, but a Super-Threat

Exploits are getting more sophisticated by the day, and cybersecurity technology just isn't keeping up.

It's almost like something out of Star Trek. Imagine an alien who can see you, but whom you can't see — one who has violence on his/her/its mind. A punch coming from out of nowhere; a vase flung at your head with no one seemingly throwing it; a punch to the gut, then a karate chop to the neck, maybe a blast from an (also invisible) ray gun, and you're down for the count. How would you fight it? How could you fight it?

Those invisible aliens may not have landed on earth just yet, but invisible malware — called fileless malware or in-memory malware — is wreaking havoc and bringing intergalactic war-style destruction to IT systems the world over. Like an invisible alien, fileless malware can strike from multiple directions, without victims even being aware they were targeted, until it's too late. Fileless malware — in which hackers call malware routines remotely and load them into memory in order to compromise or steal data — is not new, but hackers increasingly have turned to that type of attack. According to McAfee, fileless threats with PowerShell malware grew by 119% in the third quarter of 2017 alone, and they have been such a rousing success that hackers plan to greatly expand their use this year, security experts are convinced.

But fileless malware is just one of numerous threats and attacks that are now in vogue; 2018 could see more and more challenging cyberattacks, experts believe. With cryptocurrencies so popular now, hackers have begun using botnets to create the computing power needed to mine coins. AI has helped hackers develop more effective social engineering messages, "weaponizing" big data and AI to convince hapless victims to open spear-phishing messages more frequently by matching the message with the personality of the recipient. And botnets that control infected devices, commanding them to infect even more devices — a "swarm effect" — will allow hackers to grow their networks of compromised devices and systems exponentially.

Add to all that the major security risks that come in the form of the Meltdown and Spectre exploits, which affect almost every person and organization that uses a computer, smartphone, tablet, or any other device, and you have the makings of what could be the most challenging year ever for cybersecurity. Attacks are likely to come fast and furious from all directions — and there's little doubt that these new attacks, like fileless malware, will overwhelm any existing cybersecurity protocols.

Let's take a closer look at fileless malware. How would an IT team fight it? Fileless malware actually does come in the form of a file — but it's an innocuous file that for all the world looks like a legitimate Word or Excel file. It has no malware features that antivirus systems could catalog and blacklist; it has no suspicious profile that a sandbox could analyze and ban for improper behavior. All it contains is a link that, once clicked, allows for the remote loading into memory of remote malware, enabling macros that call the malware and install it via a PowerShell script.

The macro itself contains a link that is activated when the macro is activated, meaning that the macro will pop up and ask the user to click on a link. The macro calls this link remotely only when it is loaded into memory, so there is no suspicion of a security problem when the file itself passes through the sandbox. There is nothing for it to inspect. That, in fact, is exactly what South Korean researchers discovered in December, as they examined email messages that contained documents that loaded and installed malware in this manner.

Options Are Few
There is no way the current crop of cybersecurity systems — be they antivirus systems, sandboxes, or anything else — could possibly identify those files as a malware scam. The best they can do is allow documents only from verified sources (websites, email addresses) — but even that is no sure-fire guarantee; who's to say that the sender hasn't been compromised without his knowledge?

What's left? Closing off the Internet altogether? Hand-vetting each and every file, document, link, or anything else that comes to the organization? Both those ideas, obviously, are impractical. The only solution is a system that can see "inside" these files — evaluating the file, the macro inside, and determining if it's safe to send the file through as is. Even better would be if the system could remove the offending macros, and then passing on a clean version to users, who would be able to use the file without fear.

The bottom line is that in order to pull off an exploit, hackers have to be able to deliver their wares in some form — even in a "fileless" form. If there's one thing that won't be different about this year, it's that, like last year and 10 years ago, hackers must have a hook on which to hang their exploit hats. Those exploits are getting more sophisticated by the day — and cybersecurity technology is just not keeping up. There's only one way to confront and beat invisible aliens — using X-ray specs that let the wearer see exactly what she is up against. Where are the X-ray specs that will reveal the specialized tricks hackers are successfully using nowadays? That's a question we need to answer — and soon.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Itay brings to Votiro more than 15 years of executive management experience in cybersecurity at global technology companies based in the U.S., Europe, and Asia. Prior to co-founding Votiro, he played a key role in managing the development of equipment for the lawful ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.