Vulnerabilities / Threats

12/27/2016
05:20 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Fileless Malware Takes 2016 By Storm

In-memory attacks are all the rage, creating a growing class of "non-malware."

Malware creators have spent a lot of energy over the years obfuscating the malicious files they drop on infected systems to stay one step ahead of detection mechanisms. This year they're taking their efforts to a new level by dispensing with dropped files altogether. According to security researchers, 2016 saw a surge in attack patterns that had the bad guys taking a fileless approach by executing attacks in memory.

Fileless malware is not a revolutionary approach, but 2016 certainly saw a dramatic rise in this type of attack as the criminals worked to perfect it. A report out earlier this month from Carbon Black says that researchers have found that in the last quarter of 2016, there was a 33% rise in severe non-malware attacks compared to first quarter. The firm reported that over a 90-day period, about one-third of organizations are likely to encounter at least one severe fileless attack.

There are a number of ways that the bad guys are able to carry out these attacks, but those most en vogue as we close out the year are ones that take advantage of PowerShell and Windows Management Instrumentation (WMI) to carry out their dirty deeds - both by carrying out one-time attacks and by loading additional malware once a foothold has been established. Carbon Black researchers note that PowerShell and WMI non-malware attacks shot up by 90% in second quarter of 2016 and are at their highest levels as we speak. In fact, they note that reports show that the Democratic National Committee (DNC) hack earlier this year used a fileless attack that leveraged both PowerShell and WMI in order to get a foot into the door of the political party's systems.

High-profile anecdotal stories like this are adding up and security researchers across the board are bringing to light an increasing number of cybercriminal campaigns taking advantage of fileless attacks. Most recent was a report from Proofpoint earlier this month which examined a November attack campaign involving the August malware variant. Proofpoint researchers say attackers were able to use Office documents weaponized with malicious macros that trigger PowerShell to ultimately load August onto the machine as a byte array.

"The malware itself is obfuscated while the macro used in these distribution campaigns employs a number of evasion techniques and a fileless approach to load the malware via PowerShell," Proofpoint's researchers wrote. "All of these factors increase the difficulty of detection, both at the gateway and the endpoint." 

Heading into 2017, most security researchers don't expect this trend to slow down. According to those with Symantec, the industry should get ready for criminals to make the most of these attacks in the coming year. 

"Fileless infections are difficult to detect and often elude intrusion prevention and antivirus programs," says Brian Kenyon, chief strategy officer for Symantec. "This type of attack increased throughout 2016 and will continue to gain prominence in 2017, most likely through PowerShell attacks. "

 

Related content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
12/27/2016 | 7:30:12 PM
RAM is the New(ish) HD
Considering you can run an entire OS from RAM (and other forms of memory/cache) these days, of course memory is the new hard drive.  The idea of dropping malicious code into memory on a system that doesn't shut down or reboot for extended periods of time, and is connected to a larger and important network is an ideal position to be in.

Consider that idea of running an OS in memory.  Imagine cloning a system into memory and then diverting all interfacing data of the parent system through your OS.  Acting as that parent system on a sweet network, much as InfoSec teams might deploy a honeypot to lure hackers in, you can deploy a similar system to lure in real users with critical data you need.  

The point is, memory isn't only for malware/non-malware and InfoSec is going to have to be much more elaborate in their tools to keep all layers of the computing environment clean, from cache, memory and hard drive to hardware ports and network switches. 
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5780
PUBLISHED: 2019-02-19
Insufficient restrictions on what can be done with Apple Events in Google Chrome on macOS prior to 72.0.3626.81 allowed a local attacker to execute JavaScript via Apple Events.
CVE-2019-5781
PUBLISHED: 2019-02-19
Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.
CVE-2019-5782
PUBLISHED: 2019-02-19
Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2019-5783
PUBLISHED: 2019-02-19
Missing URI encoding of untrusted input in DevTools in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform a Dangling Markup Injection attack via a crafted HTML page.
CVE-2019-5766
PUBLISHED: 2019-02-19
Incorrect handling of origin taint checking in Canvas in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page.