Friday, October 18, 2019

Fileless malware

  • a new breed of malicious operations utilizing inherent features built into Windows that allow a clever hacker to turn the operating system against itself and compromise entire networks without needing a single piece of software to be installed.
There are two different tools that hackers are beginning to utilize as a foundation for fileless malware: Windows Management Instrumentation and Powershell

The same way an admin uses WMI to query metrics and execute code, a hacker can use it to run malicious code across an entire network of machines. This can be done silently, instantly, and is undetectable by standard anti-virus as an undesired action.
WMI cannot be uninstalled, it can only be disabled

This allows attackers to easily hide by dropping Base64 scrambled or encrypted code directly into Powershell, automatically decoding it and running it from memory

What makes Powershell even scarier as a tool for hackers is that it can be run remotely through WinRM, legitimately, allowing attackers to instantly punch a hole through the Windows Firewall on that compromised endpoint. if WinRM is turned off it can be turned on remotely through WMI using a single line of code. Because Powershell is an inherent part of Windows, it is completely trusted by the machine, ignored by antivirus software and other defense mechanisms. All the attacker needs is access to the machine, which can be achieved using WMI as shown above
http://www.cybereason.com/fileless-malware-an-evolving-threat-on-the-horizon

  • In-Memory Malware is Difficult to Detect

Fileless malware, is reaping a great benefit for hackers and cyber-criminals and great risk for your business. Fileless infections are exactly what they seem to be: malware or virus infections that don’t use any files in the processThe malware is written directly into the physical memory (or RAM) and is capable of eluding most detection technologies such as desktop firewalls and anti-virus programs.
https://digitalguardian.com/solutions/use-case/memory-forensics

  • fileless infection (fileless malware) is malicious coding that exists only in memory rather than installed to the target computer's hard drive.
A tactic we have spotted would be using fileless malware. Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in the target computer’s hard drive. POWELIKS is an example of fileless malware that is able to hide its malicious code in the Windows Registry. These use a conventional malware file to add the entries with its malicious code in the registry.
http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/


  • FILELESS MALWARE 101: UNDERSTANDING NON-MALWARE ATTACKS

Unlike file-based attacks, fileless malware does not leverage traditional executable files. Fileless attacks abuses tools that are built-in to the operating system to carry out attacks. Essentially, Windows is turned against itself.
Without an executable, there is no signature for antivirus software to detect. This is part of what makes fileless attacks so dangerous - they are able to easily evade antivirus products. 
Fileless attacks use a technique called  living-off-the-land. Living-off-the-land is when attackers use legitimate tools for malicious purposes
The abused, legitimate tools are known as LOLBins, and can include Microsoft Office Macros, PowerShell, WMI, and many more system tools. 

HOW DOES FILELESS MALWARE WORK?
Fileless malware leverages trusted, legitimate processes (LOLBins) running on the operating system to perform malicious activities like 
lateral movement, 
privilege escalation, 
evasion, 
reconnaissance, 
and the delivery of payloads.

REASONS TO USE FILELESS MALWARE IN AN ATTACK
Stealthy: Fileless malware uses legitimate tools, which means it is almost impossible to blocklist the tools used in a fileless attack.
Living-off-the-land: The legitimate tools used for fileless malware are installed by default. The attacker does not need to create or install any custom tools to use them.
Trusted and Frequented: These tools are frequently used and trusted. It is not unusual to see the tools used in fileless malware running in an enterprise environment for a legitimate purpose.

LOLBINS LEVERAGED BY FILELESS MALWARE

POWERSHELL
PowerShell is a cross-platform, open source task automation and configuration management framework created by Microsoft. 
sThe PowerShell framework, based on .NET, is made up of a command-line shell and scripting language. PowerShell gives full access to many Windows system functions, including WMI and component object model (COM) objects, as well as management features for the Microsoft Exchange server and others. Further, it is able to execute payloads directly from memory, which is what enables attackers to leverage it for fileless malware.

WINDOWS MANAGEMENT INSTRUMENTATION (WMI)
Windows Management Instrumentation (WMI) is a Microsoft standard for accessing management information about devices in an enterprise environment
WHAT IS WMI LEGITIMATELY USED FOR?
WMI is all about the management of Windows devices on a network. It can give you information about the status of local or remote machines, and can be used to configure security settings like system properties, user groups, scheduling processes, or disabling error logging. WMI is valuable to administrators that need to easily manage all machines on the network - a task that happens regularly in an enterprise.

.NET FRAMEWORK
.NET is an open source framework, or set of generic, commonly used and editable functionality, made by Microsoft. It has two main components that developers use together to create applications: the Common Language Runtime and the .NET Framework Class Library. 

MACROS
In Microsoft Office, Macros are used to automate frequent tasks. They are typically created in Word documents or Excel spreadsheets as a series of commands grouped together to complete a task automatically. Many macros are made using Visual Basic for Applications and can be written by anyone, including software developer
WHY USE MACROS FOR FILELESS ATTACKS?
Using macros for fileless attacks is convenient, because they can easily be combined with phishing campaigns and social engineering techniques to trick a user



WHY IS DETECTION AND PREVENTION OF FILELESS MALWARE CHALLENGING?
Fileless malware depends on tools that are part of the daily workflow of enterprise professionals. Attackers know they can rely on a set of tools that are pre-installed on every Windows machine and are vital for the daily operations of the enterprise. Fileless malware also decreases the number of files on disk, which means signature-based prevention and detection methods will not be able to identify them. This makes it incredibly difficult for an analyst or security product to identify whether the tool is being used for malicious purposes or normal, day-to-day actions. Analysts must have an intimate understanding of their environment to be able to identify LOLBins at work.
https://www.cybereason.com/blog/fileless-malware

  • What is Fileless Malware?

Fileless malware is a type of malicious software that uses legitimate programs to infect a computer.
It does not rely on files and leaves no footprint, making it challenging to detect and remove.
it just means that fileless attacks are often undetectable by antivirus, whitelisting, and other traditional endpoint security solutions.
Fileless attacks fall into the broader category of low-observable characteristics (LOC) attacks, a type of stealth attack that evades detection by most security solutions and frustrates forensic analysis efforts.
While not considered a traditional virus, fileless malware does work in a similar way—it operates in memory.
Without being stored in a file or installed directly on a machine, fileless infections go straight into memory and the malicious content never touches the hard drive.

How does a fileless attack happen?
Fileless attacks fall into the broader category of low-observable characteristics (LOC) attacks, a type of stealth attack that evades detection by most security solutions and frustrates forensic analysis efforts. While not considered a traditional virus, fileless malware does work in a similar way—it operates in memory. Without being stored in a file or installed directly on a machine, fileless infections go straight into memory and the malicious content never touches the hard drive. Many LOC attacks take advantage of Microsoft Windows PowerShell, a legitimate and useful tool used by administrators for task automation and configuration management. PowerShell consists of a command-line shell and associated scripting language, providing adversaries with access to just about everything and anything in Windows.

fileless attacks often use social engineering to get users to click on a link or an attachment in a phishing email. Fileless attacks are typically used for lateral movement, meaning they make their way from one device to the next with the objective of gaining access rights to valuable data across the enterprise network. To avoid suspicion, fileless malware gets into the inner recesses of trusted, whitelisted applications (like PowerShell and Windows script host executables such as wscript.exe and cscript.exe) or the operating system to initiate malicious processes. These attacks abuse the trust model used by security applications to not monitor whitelisted programs.

How can you defend against fileless attacks?
Microsoft has also upgraded its Windows Defender package to detect irregular activity from PowerShell.
The real key to successfully counteracting fileless attacks is an integrated approach that addresses the entire threat lifecycle. By having a multi-layered defense, you gain an advantage over attackers by being able to investigate every phase of a campaign before, during, and after an attack.

Two things are especially important:
The ability to see and measure what’s happening: discovering the techniques used by the attack, monitoring activities in PowerShell or other scripting engines, accessing aggregated threat data, and gaining visibility into user activities.
The ability to control the state of the targeted system: halting arbitrary processes, remediating processes that are part of the attack, and isolating infected devices.

Endpoint hardening:
defenses like vulnerability assessment, exploit/memory protection, desktop firewall, and URL filtering.
Machine learning:
security analytic solutions using advanced, adaptive, and state-of-the-art machine learning, deep learning, and artificial intelligence techniques.
Application containment:
whitelisting solution that blocks unauthorized applications and code from running on servers, desktops, and fixed-function devices.
Behavior monitoring:
Understanding user behavior analytics (UBA) helps you identify threats hidden among your data, allowing you to increase security operations accuracy while shortening investigation timelines.Rather than focusing exclusively on users or entities,  a combination of anomaly detection and customized rules, along with other intelligent and advanced correlation models.
Interactive threat hunting:
tool that automatically and proactively investigates and responds to abnormal behavior on endpoints and searches for fileless attack footholds
Single-console centralized management:
a unified platform that provides control, visibility, reporting, and actionable dashboards across hundreds and even thousands of nodes enterprise-wide.
Integration with partner technologies:

protection against specific types of fileless threats

Fileless threat: Reflective self injection:
Reflective loading refers to loading a portable executable (PE) from memory rather than from disk. A crafted function/script can reflectively load portable executable without getting registered as a loaded module in the process and hence can perform actions without leaving footprints. PowerShell is one of the most widely used applications to execute these crafted scripts. This event indicates a fileless attack where a PowerShell script tries to inject a PE into the PowerShell process itself.
Fileless threat: Reflective EXE self injection:
This event indicates a fileless attack where a PowerShell script tries to inject an EXE into the PowerShell process itself.
Fileless threat: Reflective DLL remote injection:
This event indicates a fileless attack where a PowerShell script tried to inject a DLL into a remote process.
Fileless threat: Malicious code execution using DotNetToJScript technique:
This event indicates an attempt to execute malicious shellcode using the DotNetToJScript technique, which is used by prevalent fileless attacks like CACTUSTORCH. DotNetToJScript attack vectors allow loading and execution of malicious .NET assembly (DLL, EXE, etc.) straight from memory with the help of .NET libraries exposed via COM. Just like any other typical fileless attack technique, DotNetToJScript does not write any part of the malicious .NET DLL or EXE in the computer's hard drive.

https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html




No comments:

Post a Comment