Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/27/2016
05:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Fileless Malware Takes 2016 By Storm

In-memory attacks are all the rage, creating a growing class of "non-malware."

Malware creators have spent a lot of energy over the years obfuscating the malicious files they drop on infected systems to stay one step ahead of detection mechanisms. This year they're taking their efforts to a new level by dispensing with dropped files altogether. According to security researchers, 2016 saw a surge in attack patterns that had the bad guys taking a fileless approach by executing attacks in memory.

Fileless malware is not a revolutionary approach, but 2016 certainly saw a dramatic rise in this type of attack as the criminals worked to perfect it. A report out earlier this month from Carbon Black says that researchers have found that in the last quarter of 2016, there was a 33% rise in severe non-malware attacks compared to first quarter. The firm reported that over a 90-day period, about one-third of organizations are likely to encounter at least one severe fileless attack.

There are a number of ways that the bad guys are able to carry out these attacks, but those most en vogue as we close out the year are ones that take advantage of PowerShell and Windows Management Instrumentation (WMI) to carry out their dirty deeds - both by carrying out one-time attacks and by loading additional malware once a foothold has been established. Carbon Black researchers note that PowerShell and WMI non-malware attacks shot up by 90% in second quarter of 2016 and are at their highest levels as we speak. In fact, they note that reports show that the Democratic National Committee (DNC) hack earlier this year used a fileless attack that leveraged both PowerShell and WMI in order to get a foot into the door of the political party's systems.

High-profile anecdotal stories like this are adding up and security researchers across the board are bringing to light an increasing number of cybercriminal campaigns taking advantage of fileless attacks. Most recent was a report from Proofpoint earlier this month which examined a November attack campaign involving the August malware variant. Proofpoint researchers say attackers were able to use Office documents weaponized with malicious macros that trigger PowerShell to ultimately load August onto the machine as a byte array.

"The malware itself is obfuscated while the macro used in these distribution campaigns employs a number of evasion techniques and a fileless approach to load the malware via PowerShell," Proofpoint's researchers wrote. "All of these factors increase the difficulty of detection, both at the gateway and the endpoint." 

Heading into 2017, most security researchers don't expect this trend to slow down. According to those with Symantec, the industry should get ready for criminals to make the most of these attacks in the coming year. 

"Fileless infections are difficult to detect and often elude intrusion prevention and antivirus programs," says Brian Kenyon, chief strategy officer for Symantec. "This type of attack increased throughout 2016 and will continue to gain prominence in 2017, most likely through PowerShell attacks. "

 

Related content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
12/27/2016 | 7:30:12 PM
RAM is the New(ish) HD
Considering you can run an entire OS from RAM (and other forms of memory/cache) these days, of course memory is the new hard drive.  The idea of dropping malicious code into memory on a system that doesn't shut down or reboot for extended periods of time, and is connected to a larger and important network is an ideal position to be in.

Consider that idea of running an OS in memory.  Imagine cloning a system into memory and then diverting all interfacing data of the parent system through your OS.  Acting as that parent system on a sweet network, much as InfoSec teams might deploy a honeypot to lure hackers in, you can deploy a similar system to lure in real users with critical data you need.  

The point is, memory isn't only for malware/non-malware and InfoSec is going to have to be much more elaborate in their tools to keep all layers of the computing environment clean, from cache, memory and hard drive to hardware ports and network switches. 
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.