Vulnerabilities / Threats

12/27/2016
05:20 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Fileless Malware Takes 2016 By Storm

In-memory attacks are all the rage, creating a growing class of "non-malware."

Malware creators have spent a lot of energy over the years obfuscating the malicious files they drop on infected systems to stay one step ahead of detection mechanisms. This year they're taking their efforts to a new level by dispensing with dropped files altogether. According to security researchers, 2016 saw a surge in attack patterns that had the bad guys taking a fileless approach by executing attacks in memory.

Fileless malware is not a revolutionary approach, but 2016 certainly saw a dramatic rise in this type of attack as the criminals worked to perfect it. A report out earlier this month from Carbon Black says that researchers have found that in the last quarter of 2016, there was a 33% rise in severe non-malware attacks compared to first quarter. The firm reported that over a 90-day period, about one-third of organizations are likely to encounter at least one severe fileless attack.

There are a number of ways that the bad guys are able to carry out these attacks, but those most en vogue as we close out the year are ones that take advantage of PowerShell and Windows Management Instrumentation (WMI) to carry out their dirty deeds - both by carrying out one-time attacks and by loading additional malware once a foothold has been established. Carbon Black researchers note that PowerShell and WMI non-malware attacks shot up by 90% in second quarter of 2016 and are at their highest levels as we speak. In fact, they note that reports show that the Democratic National Committee (DNC) hack earlier this year used a fileless attack that leveraged both PowerShell and WMI in order to get a foot into the door of the political party's systems.

High-profile anecdotal stories like this are adding up and security researchers across the board are bringing to light an increasing number of cybercriminal campaigns taking advantage of fileless attacks. Most recent was a report from Proofpoint earlier this month which examined a November attack campaign involving the August malware variant. Proofpoint researchers say attackers were able to use Office documents weaponized with malicious macros that trigger PowerShell to ultimately load August onto the machine as a byte array.

"The malware itself is obfuscated while the macro used in these distribution campaigns employs a number of evasion techniques and a fileless approach to load the malware via PowerShell," Proofpoint's researchers wrote. "All of these factors increase the difficulty of detection, both at the gateway and the endpoint." 

Heading into 2017, most security researchers don't expect this trend to slow down. According to those with Symantec, the industry should get ready for criminals to make the most of these attacks in the coming year. 

"Fileless infections are difficult to detect and often elude intrusion prevention and antivirus programs," says Brian Kenyon, chief strategy officer for Symantec. "This type of attack increased throughout 2016 and will continue to gain prominence in 2017, most likely through PowerShell attacks. "

 

Related content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
12/27/2016 | 7:30:12 PM
RAM is the New(ish) HD
Considering you can run an entire OS from RAM (and other forms of memory/cache) these days, of course memory is the new hard drive.  The idea of dropping malicious code into memory on a system that doesn't shut down or reboot for extended periods of time, and is connected to a larger and important network is an ideal position to be in.

Consider that idea of running an OS in memory.  Imagine cloning a system into memory and then diverting all interfacing data of the parent system through your OS.  Acting as that parent system on a sweet network, much as InfoSec teams might deploy a honeypot to lure hackers in, you can deploy a similar system to lure in real users with critical data you need.  

The point is, memory isn't only for malware/non-malware and InfoSec is going to have to be much more elaborate in their tools to keep all layers of the computing environment clean, from cache, memory and hard drive to hardware ports and network switches. 
Cloud Security's Shared Responsibility Is Foggy
Ben Johnson, Co-founder and CTO, Obsidian Security,  9/14/2017
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.