Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/27/2016
05:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Fileless Malware Takes 2016 By Storm

In-memory attacks are all the rage, creating a growing class of "non-malware."

Malware creators have spent a lot of energy over the years obfuscating the malicious files they drop on infected systems to stay one step ahead of detection mechanisms. This year they're taking their efforts to a new level by dispensing with dropped files altogether. According to security researchers, 2016 saw a surge in attack patterns that had the bad guys taking a fileless approach by executing attacks in memory.

Fileless malware is not a revolutionary approach, but 2016 certainly saw a dramatic rise in this type of attack as the criminals worked to perfect it. A report out earlier this month from Carbon Black says that researchers have found that in the last quarter of 2016, there was a 33% rise in severe non-malware attacks compared to first quarter. The firm reported that over a 90-day period, about one-third of organizations are likely to encounter at least one severe fileless attack.

There are a number of ways that the bad guys are able to carry out these attacks, but those most en vogue as we close out the year are ones that take advantage of PowerShell and Windows Management Instrumentation (WMI) to carry out their dirty deeds - both by carrying out one-time attacks and by loading additional malware once a foothold has been established. Carbon Black researchers note that PowerShell and WMI non-malware attacks shot up by 90% in second quarter of 2016 and are at their highest levels as we speak. In fact, they note that reports show that the Democratic National Committee (DNC) hack earlier this year used a fileless attack that leveraged both PowerShell and WMI in order to get a foot into the door of the political party's systems.

High-profile anecdotal stories like this are adding up and security researchers across the board are bringing to light an increasing number of cybercriminal campaigns taking advantage of fileless attacks. Most recent was a report from Proofpoint earlier this month which examined a November attack campaign involving the August malware variant. Proofpoint researchers say attackers were able to use Office documents weaponized with malicious macros that trigger PowerShell to ultimately load August onto the machine as a byte array.

"The malware itself is obfuscated while the macro used in these distribution campaigns employs a number of evasion techniques and a fileless approach to load the malware via PowerShell," Proofpoint's researchers wrote. "All of these factors increase the difficulty of detection, both at the gateway and the endpoint." 

Heading into 2017, most security researchers don't expect this trend to slow down. According to those with Symantec, the industry should get ready for criminals to make the most of these attacks in the coming year. 

"Fileless infections are difficult to detect and often elude intrusion prevention and antivirus programs," says Brian Kenyon, chief strategy officer for Symantec. "This type of attack increased throughout 2016 and will continue to gain prominence in 2017, most likely through PowerShell attacks. "

 

Related content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
12/27/2016 | 7:30:12 PM
RAM is the New(ish) HD
Considering you can run an entire OS from RAM (and other forms of memory/cache) these days, of course memory is the new hard drive.  The idea of dropping malicious code into memory on a system that doesn't shut down or reboot for extended periods of time, and is connected to a larger and important network is an ideal position to be in.

Consider that idea of running an OS in memory.  Imagine cloning a system into memory and then diverting all interfacing data of the parent system through your OS.  Acting as that parent system on a sweet network, much as InfoSec teams might deploy a honeypot to lure hackers in, you can deploy a similar system to lure in real users with critical data you need.  

The point is, memory isn't only for malware/non-malware and InfoSec is going to have to be much more elaborate in their tools to keep all layers of the computing environment clean, from cache, memory and hard drive to hardware ports and network switches. 
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20288
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...
CVE-2021-31229
PUBLISHED: 2021-04-15
An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd() performs incorrect memory handling while parsing crafted XML files, which leads to an out-of-bounds write of a one byte constant.
CVE-2021-28548
PUBLISHED: 2021-04-15
Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploi...
CVE-2021-28549
PUBLISHED: 2021-04-15
Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploi...
CVE-2021-30209
PUBLISHED: 2021-04-15
Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.