“There has been an unequivocal uptick in the use of fileless malware as a threat vector,” said Kevin Epstein, vice president of threat operations at Proofpoint. “We have seen more fileless malware since the beginning of 2017 than we saw in all of 2016 and 2015 combined.”
As the name suggests, fileless malware infects targeted computers leaving behind no artifacts on the local hard drive, making it easy to sidestep traditional signature-based security and forensics tools. During the past year, fileless attacks have been on the rise, and by Proofpoint’s estimates, pose a larger risk to businesses than commodity malware attacks. Epstein said fileless attacks will soon overtake traditional write-to-disk attacks if they haven’t already.
The technique, where attackers hide their activities in a computer’s random-access memory and use a native Windows tools such as PowerShell and Windows Management Instrumentation (WMI), isn’t new. Sophisticated attacks advanced adversaries were first spotted using fileless malware several years ago (PDF). But since then, there has been a steady rise in the numbers of attacks, according to experts.
Last June, fileless attacks were suspected in the hack the Democratic National Committee as a way to penetrate computer systems, according to Carbon Black. Earlier this year, Kasperky Lab researchers reported cybercriminals used fileless, memory-based malware to carry out attacks on nearly 140 enterprises worldwide. And just over the last few months there have been reports of dozens of fileless malware attacks.
Conventional malware isn’t going anywhere anytime soon, said Edmund Brumaghin, threat researcher with Cisco Talos. But he said, the increase in fileless attacks isn’t seeing a corresponding response on the defensive side because only a minority of organizations are running memory-analysis tools. “From the perspective of an attacker, that’s opportunity to take advantage of while they still can,” Brumaghin said.
No Files Left Behind
The way fileless malware works is an adversary first needs to run code in the targeted system’s random-access memory. Attackers accomplish this in a number of different ways such as exploiting vulnerabilities in browsers and associated programs (Java, Flash or PDF readers), or via a phishing attack that entices a victim to click on an attachment.
“There are binary holes and human holes. But the most common entry point we have seen for fileless malware is an email with an attached file. Or human gullibility,” Epstein said.
In fileless malware attack scenarios, no files are dropped on the targeted system. Rather code runs in the computer’s memory and calls on programs already on Windows systems such as PowerShell and Windows Management Instrumentation (WMI). Using these programs, attackers gain a foothold on systems to carry out a quick theft of data (usually application credentials found in memory), or establish a persistence on a machine by leaving a backdoor connection to a remote command and control server. Once in, an attacker can stay hidden in memory as it can traverses from one process to another looking for new opportunities and places to hide.
However, these type of attacks have one big drawback: When the application is closed or system is turned off, the in-memory attack ends.
To work around those limitations, attackers often will traverse from one application to another. And in some cases, PowerShell will be used to open an application such as Notepad or Calculator in the background, hidden from the user, so it can run in one of those application’s memory footprint. Another means of gaining persistence is by loading a PowerShell script that instructs the targeted computer to reconnect to the attacker’s command and control each time the PC started. However, tampering with the Windows registry is a technique that increases an attacker’s likelihood in being detected.
Using Good Tools for Bad Purposes
Attackers can also get more aggressive and turn to other forensic and penetration-testing tools such as Metasploit or Mimikatz, that allow you to either inject code into system memory or read data stored in memory. These open-source tools, along with others such as Lazagne, and Meterpreter, allow attackers to probe deeper into targeted systems, steal credentials and open reverse shells back to the adversary’s control server.
Metasploit is a penetration testing tool but it is also used by adversaries to access computers by exploiting vulnerabilities in browsers and gaining access to application memory to run code. Mimikatz is used as a tool for extracting data from an application’s memory. It can be used to access the memory of the running Local Security Authority Subsystem Service process to learn security-related information from memory such as passwords, PINs and Kerberos tickets.
Cisco’s Brumaghin said attacks are growing in sophistication and using new tools, making it difficult to spot in-memory attacks. In an attack investigated by Cisco Talos in March called DNSMessenger, attackers used PowerShell and WMI together to leverage DNS TXT record queries and responses as a mechanism for providing an attacker with a backdoor for command and control communications to an infected PC.
The DNSMessenger infection chain began with a rigged Word document sent to recipients who were encouraged to “enable content.” If enabled, the document launches a Visual Basic for Applications macro that opens the initial PowerShell command that ultimately leads to the multistage attack and the eventual installing of a remote access Trojan. The DNSMessenger malware infection technique used DNS TXT messaging capabilities to request and fetch malicious PowerShell commands stored remotely as DNS TXT records.
Some memory-based malware attacks are fully fileless and are used to deliver a Meterpreter session directly to memory to steal credentials and other data, researchers said. Sometimes an in-memory attack is used to launch a Remote Desktop Session using tools already on the targeted system. In other cases, malware such as the password-stealer LaZagne Project or another Python executable have been delivered and executed via a fileless attack.
Fileless is The Future
Concerns have triggered numerous warnings from cybersecurity organizations including one in October from the Department of Homeland Security and one in March from the New Jersey Cybersecurity and Communications Integration Cell. The NJCCIC cautioned:
“The NJCCIC assesses with high confidence that fileless and ‘non-malware’ intrusion tactics pose high risk to organizations, both public and private, and will be increasingly employed by capable threat actors intent on stealing data or establishing persistence on networks to support ongoing espionage objectives or to enable future acts of sabotage.”
When it comes to attribution, a number of threat actors’ names are commonly associated with these types of attacks. Cybercriminal and nation-state operations such as Carbanak, Duqu and FIN7 have each been suspected in memory-based malware attacks.
Last month, researchers at Morphisec released a report stating FIN7 was behind several recent incidents. One was a high-profile attack that used fileless malware targeting professionals affiliated with United States Securities and Exchange Commission filings. Kaspersky Lab said attackers who targeted 140 banks and enterprises were likely connected to the GCMAN and Carbanak groups. But, Epstein said, a wide range of less organized and less sophisticated threat actors are now leveraging fileless malware attacks.
Mitigation against these threats will take new tools and a shift in end-user awareness, Brumaghin said. For starters, security experts say disabling the use of PowerShell on networks is a good start. They also recommend monitoring more closely outbound traffic and tracing it back to applications making those requests. If Windows Notepad or Calculator are making network connections, you might have a problem, experts say.
“From the malware author side, we are expecting to see more advanced attacks,” said Mordechai Guri, chief security officer at Morphisec. “We will see more advanced obfuscation, polymorphism and injection techniques, that evade such a potential monitoring and detection.”