'File-Less' Cyber Malware

[Hervé]

New Invisible 'File-Less' Cyber Malware Poses 'Unique Worldwide Threat'

Tech 18:50 11.02.2017

© Photo: Pixabay

A new invisible type of malware, similar to what has previously been seen only in nation-sponsored cyberattacks, is infecting enterprises around the globe. This is according to the latest research made by Russian Cybersecurity Company - Kaspersky Lab. Radio Sputnik discussed the issue with Sergey Golovanov, Principal Security Researcher at the Lab.

“It is a really unique attack because it poses a worldwide threat. The trick with this file-less attack is that they do not need any executable file to run it on the computer. When you double click on it, it copies the file from the hard drive to the memory,” Golovanov said.

He further said that in this case the attackers are able to run the code directly to the memory through networks, so they don’t touch anything on the hard drive. The forensic analysis of the hard drive shows nothing. Talking about how they found this virus, Golovanov said that they had to use very hard and unique techniques to find it.

“Once we had a phone call from one of our customers, it’s a really big bank and they asked us for help because they had some suspicions. So we planned a business trip, went to the bank and started to capture memory from the big network and finally found the malware,” he said.

“When we started to extract the hard drive from the computer, we found nothing. For us it was a mystery, like what the hell is going on here?” Golovanov said.

Other banks also started complaining about this issue and after a long period of decoding the team finally found the problem.

“We are still not sure how these attacks started and who the first victim of these attacks was,” the expert said.

Talking about what exactly this new malware does, Golovanov said that it extracts the passwords directly from the memory of the computer.

“Furthermore, depending on the structure of the network they can do whatever they want. If it is a big enterprise then it can extract documents, files and presentations,” the expert said.

He further spoke about how the attackers were using a technique called tunneling, which involves digging special tunnels inside the networks. Hence, whole transactions and all of the actions of the attackers were completely invisible to security measures. Looking at what the ultimate end game in this situation is, Golovanov said that one bank has already lost a huge sum of money because of this attack. The other targets of this attack were the telecom companies because the attackers need “clean computers to hide their activities.”

Talking about whether governments are at risk at the moment, the expert said that, “It is hard to tell because right now we are not able to attribute this attack to any group or any known criminal attackers. We don’t know who is behind it at the moment,” the expert concluded.

The so-called in-memory malware is primarily known for its ability to disappear after being installed on a server, making it almost impossible to detect.

Previously, hackers used it primarily to steal money from bank accounts. However, Kaspersky’s recent study shows that over 140 institutions worldwide have been infected with the invisible virus.


Related:
'I’m Afraid, Dave' - Global Havoc-Causing Mirai Malware Evolves, Adapts
French Security System Thwarted Cyberattack During Socialist Primaries

[uzn]

During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“.
Description
This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab’s product detection names for such kinds of threat are MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.
Conclusions
Techniques like those described in this report are becoming more common, especially against relevant targets in the banking industry. Unfortunately the use of common tools combined with different tricks makes detection very hard.
In fact, detection of this attack would be possible in RAM, network and registry only. Please check the Appendix I – Indicators of Compromise section for more details on how to detect malicious activity related to this fileless PowerShell attack.
After successful disinfection and cleaning, it is necessary to change all passwords. This attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.
Further details of these attacks and their objectives will be presented at the Security Analyst Summit, to be held on St. Maarten from 2 to 6 April, 2017.

Source:
https://securelist.com/blog/research...rise-networks/

[Anchor]

The OP is a bit light on detail - but the malware is certainly real.

The malware does use the hard disk at the start, but erases itself once installed in memory- it is vulnerable to detection at this point and that is how we catch these kind of infections where I work.

If it only persists in memory, then it will only stay present on computers that are not restarted that often - such as servers.

Servers are more protected from this kind of attack since no one in their right mind (if security is important to them) should be using an internet browser on them in the first place, and they should otherwise be locked down tight from a security perspective.

[Hervé]

Posted by Anchor (here)
The OP is a bit light on detail - but the malware is certainly real.
[...]

Check the link provided by uzn above: https://securelist.com/blog/research...rise-networks/

[Anchor]

Posted by Hervé (here)

Posted by Anchor (here)
The OP is a bit light on detail - but the malware is certainly real.
[...]

Check the link provided by uzn above: https://securelist.com/blog/research...rise-networks/

Thanks, I read that now.

I'm amazed they think this targets banks.

Banks employing best practice security would not really have that much trouble with this.

Here in Australia, when you are a bank, basic competence in IT infrastructure and security is actually a regulatory requirement