Vulnerabilities / Threats

2/14/2018
10:30 AM
Itay Glick
Itay Glick
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Fileless Malware: Not Just a Threat, but a Super-Threat

Exploits are getting more sophisticated by the day, and cybersecurity technology just isn't keeping up.

It's almost like something out of Star Trek. Imagine an alien who can see you, but whom you can't see — one who has violence on his/her/its mind. A punch coming from out of nowhere; a vase flung at your head with no one seemingly throwing it; a punch to the gut, then a karate chop to the neck, maybe a blast from an (also invisible) ray gun, and you're down for the count. How would you fight it? How could you fight it?

Those invisible aliens may not have landed on earth just yet, but invisible malware — called fileless malware or in-memory malware — is wreaking havoc and bringing intergalactic war-style destruction to IT systems the world over. Like an invisible alien, fileless malware can strike from multiple directions, without victims even being aware they were targeted, until it's too late. Fileless malware — in which hackers call malware routines remotely and load them into memory in order to compromise or steal data — is not new, but hackers increasingly have turned to that type of attack. According to McAfee, fileless threats with PowerShell malware grew by 119% in the third quarter of 2017 alone, and they have been such a rousing success that hackers plan to greatly expand their use this year, security experts are convinced.

But fileless malware is just one of numerous threats and attacks that are now in vogue; 2018 could see more and more challenging cyberattacks, experts believe. With cryptocurrencies so popular now, hackers have begun using botnets to create the computing power needed to mine coins. AI has helped hackers develop more effective social engineering messages, "weaponizing" big data and AI to convince hapless victims to open spear-phishing messages more frequently by matching the message with the personality of the recipient. And botnets that control infected devices, commanding them to infect even more devices — a "swarm effect" — will allow hackers to grow their networks of compromised devices and systems exponentially.

Add to all that the major security risks that come in the form of the Meltdown and Spectre exploits, which affect almost every person and organization that uses a computer, smartphone, tablet, or any other device, and you have the makings of what could be the most challenging year ever for cybersecurity. Attacks are likely to come fast and furious from all directions — and there's little doubt that these new attacks, like fileless malware, will overwhelm any existing cybersecurity protocols.

Let's take a closer look at fileless malware. How would an IT team fight it? Fileless malware actually does come in the form of a file — but it's an innocuous file that for all the world looks like a legitimate Word or Excel file. It has no malware features that antivirus systems could catalog and blacklist; it has no suspicious profile that a sandbox could analyze and ban for improper behavior. All it contains is a link that, once clicked, allows for the remote loading into memory of remote malware, enabling macros that call the malware and install it via a PowerShell script.

The macro itself contains a link that is activated when the macro is activated, meaning that the macro will pop up and ask the user to click on a link. The macro calls this link remotely only when it is loaded into memory, so there is no suspicion of a security problem when the file itself passes through the sandbox. There is nothing for it to inspect. That, in fact, is exactly what South Korean researchers discovered in December, as they examined email messages that contained documents that loaded and installed malware in this manner.

Options Are Few
There is no way the current crop of cybersecurity systems — be they antivirus systems, sandboxes, or anything else — could possibly identify those files as a malware scam. The best they can do is allow documents only from verified sources (websites, email addresses) — but even that is no sure-fire guarantee; who's to say that the sender hasn't been compromised without his knowledge?

What's left? Closing off the Internet altogether? Hand-vetting each and every file, document, link, or anything else that comes to the organization? Both those ideas, obviously, are impractical. The only solution is a system that can see "inside" these files — evaluating the file, the macro inside, and determining if it's safe to send the file through as is. Even better would be if the system could remove the offending macros, and then passing on a clean version to users, who would be able to use the file without fear.

The bottom line is that in order to pull off an exploit, hackers have to be able to deliver their wares in some form — even in a "fileless" form. If there's one thing that won't be different about this year, it's that, like last year and 10 years ago, hackers must have a hook on which to hang their exploit hats. Those exploits are getting more sophisticated by the day — and cybersecurity technology is just not keeping up. There's only one way to confront and beat invisible aliens — using X-ray specs that let the wearer see exactly what she is up against. Where are the X-ray specs that will reveal the specialized tricks hackers are successfully using nowadays? That's a question we need to answer — and soon.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Itay brings to Votiro more than 15 years of executive management experience in cybersecurity at global technology companies based in the U.S., Europe, and Asia. Prior to co-founding Votiro, he played a key role in managing the development of equipment for the lawful ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9276
PUBLISHED: 2019-01-16
SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS by bypassing the anti-XSS mechanisms. It was possible to run JavaScript code when a victim user opens or replies to the attacker's email, which contained a malicious payload. Therefore, users' passwords could be reset by using an...
CVE-2015-9277
PUBLISHED: 2019-01-16
MailEnable before 8.60 allows Directory Traversal for reading the messages of other users, uploading files, and deleting files because "/../" and "/.. /" are mishandled.
CVE-2015-9278
PUBLISHED: 2019-01-16
MailEnable before 8.60 allows Privilege Escalation because admin accounts could be created as a consequence of %0A mishandling in AUTH.TAB after a password-change request.
CVE-2015-9279
PUBLISHED: 2019-01-16
MailEnable before 8.60 allows Stored XSS via malformed use of "<img/src" with no ">" character in the body of an e-mail message.
CVE-2015-9280
PUBLISHED: 2019-01-16
MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter.