Vulnerabilities / Threats

12/27/2016
05:20 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Fileless Malware Takes 2016 By Storm

In-memory attacks are all the rage, creating a growing class of "non-malware."

Malware creators have spent a lot of energy over the years obfuscating the malicious files they drop on infected systems to stay one step ahead of detection mechanisms. This year they're taking their efforts to a new level by dispensing with dropped files altogether. According to security researchers, 2016 saw a surge in attack patterns that had the bad guys taking a fileless approach by executing attacks in memory.

Fileless malware is not a revolutionary approach, but 2016 certainly saw a dramatic rise in this type of attack as the criminals worked to perfect it. A report out earlier this month from Carbon Black says that researchers have found that in the last quarter of 2016, there was a 33% rise in severe non-malware attacks compared to first quarter. The firm reported that over a 90-day period, about one-third of organizations are likely to encounter at least one severe fileless attack.

There are a number of ways that the bad guys are able to carry out these attacks, but those most en vogue as we close out the year are ones that take advantage of PowerShell and Windows Management Instrumentation (WMI) to carry out their dirty deeds - both by carrying out one-time attacks and by loading additional malware once a foothold has been established. Carbon Black researchers note that PowerShell and WMI non-malware attacks shot up by 90% in second quarter of 2016 and are at their highest levels as we speak. In fact, they note that reports show that the Democratic National Committee (DNC) hack earlier this year used a fileless attack that leveraged both PowerShell and WMI in order to get a foot into the door of the political party's systems.

High-profile anecdotal stories like this are adding up and security researchers across the board are bringing to light an increasing number of cybercriminal campaigns taking advantage of fileless attacks. Most recent was a report from Proofpoint earlier this month which examined a November attack campaign involving the August malware variant. Proofpoint researchers say attackers were able to use Office documents weaponized with malicious macros that trigger PowerShell to ultimately load August onto the machine as a byte array.

"The malware itself is obfuscated while the macro used in these distribution campaigns employs a number of evasion techniques and a fileless approach to load the malware via PowerShell," Proofpoint's researchers wrote. "All of these factors increase the difficulty of detection, both at the gateway and the endpoint." 

Heading into 2017, most security researchers don't expect this trend to slow down. According to those with Symantec, the industry should get ready for criminals to make the most of these attacks in the coming year. 

"Fileless infections are difficult to detect and often elude intrusion prevention and antivirus programs," says Brian Kenyon, chief strategy officer for Symantec. "This type of attack increased throughout 2016 and will continue to gain prominence in 2017, most likely through PowerShell attacks. "

 

Related content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
12/27/2016 | 7:30:12 PM
RAM is the New(ish) HD
Considering you can run an entire OS from RAM (and other forms of memory/cache) these days, of course memory is the new hard drive.  The idea of dropping malicious code into memory on a system that doesn't shut down or reboot for extended periods of time, and is connected to a larger and important network is an ideal position to be in.

Consider that idea of running an OS in memory.  Imagine cloning a system into memory and then diverting all interfacing data of the parent system through your OS.  Acting as that parent system on a sweet network, much as InfoSec teams might deploy a honeypot to lure hackers in, you can deploy a similar system to lure in real users with critical data you need.  

The point is, memory isn't only for malware/non-malware and InfoSec is going to have to be much more elaborate in their tools to keep all layers of the computing environment clean, from cache, memory and hard drive to hardware ports and network switches. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6487
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.