- May 13, 2017
- 76
Researchers have detected a brazen attack on restaurants across the United States that uses a relatively new technique to keep its malware undetected by virtually all antivirus products on the market.
Malicious code used in so-called fileless attacks resides almost entirely in computer memory, a feat that prevents it from leaving the kinds of traces that are spotted by traditional antivirus scanners. Once the sole province of state-sponsored spies casing the highest value targets, the in-memory techniques are becoming increasingly common in financially motivated hack attacks. They typically make use of commonly used administrative and security-testing tools such as PowerShell, Metasploit, and Mimikatz, which attackers use to feed malicious commands to targeted computers.
FIN7, an established hacking group with ties to the Carbanak Gang, is among the converts to this new technique, researchers from security firm Morphisec reported in a recently published blog post. The dynamic link library file it's using to infect Windows computers in an ongoing attack on US restaurants would normally be detected by just about any AV program if the file was written to a hard drive. But because the file contents are piped into computer memory using PowerShell, the file wasn't visible to any of the 56 most widely used AV programs, according to a Virus Total query conducted earlier this month.
"FIN7 constantly upgrades their attacks and evasion techniques, thus becoming even more dangerous and unpredictable," Morphisec Vice President of Research and Development Michael Gorelik wrote. "The analysis of this attack shows, how easy it is for them to bypass static, dynamic and behavior based solutions. These attacks pose a severe risk to enterprises."
Anatomy of an infection
To be sure, the attack isn't entirely fileless, since it arrives in a booby-trapped Word document attached to a phishing e-mail. The e-mails are tailored to the person receiving them and contain attachments with names including menu.rtf, Olive Garden.rtf and Chick Fil A Order.rtf. Unlike most other Word-based attacks, however, once the document triggers an infection, the final payload resides only in memory.
The tallest order of the attack is convincing a target to exit Protected View, since Word provides a prominent notice warning of the risks. In the event that the target is tricked into double-clicking on an icon promising to unlock the document contents, however, obfuscated JavaScript copies malicious code into two separate files stored in two separate directories. Then the malicious code in the first file creates a scheduled Windows task that executes the code in the second file one minute later. By breaking the code into two files and delaying the execution, the attack chain bypasses most behavior-analysis protections because the second stage isn't directly triggered by the first stage.
The process then largely repeats, with second-stage JavaScript triggering a first-stage PowerShell process that then performs a second-stage PowerShell process. The latter process injects shellcode that's derived in part using domain name system queries.
"This shellcode iterates over process environment block and looks immediately for dnsapi.dll name (xor 13) and its DnsQueryA function," Gorelik explained. "Basically, FIN7 implemented a shellcode that gets the next stage shellcode using the DNS messaging technique directly from memory. This way they can successfully evade many of the behavior based solutions."
The attack isn't the first to generate PowerShell scripts based on DNS requests. Cisco Systems' Talos Threat Research Group saw something similar in March. FIN7's ongoing campaign against restaurants suggests the technique won't be going away anytime soon.
Malicious code used in so-called fileless attacks resides almost entirely in computer memory, a feat that prevents it from leaving the kinds of traces that are spotted by traditional antivirus scanners. Once the sole province of state-sponsored spies casing the highest value targets, the in-memory techniques are becoming increasingly common in financially motivated hack attacks. They typically make use of commonly used administrative and security-testing tools such as PowerShell, Metasploit, and Mimikatz, which attackers use to feed malicious commands to targeted computers.
FIN7, an established hacking group with ties to the Carbanak Gang, is among the converts to this new technique, researchers from security firm Morphisec reported in a recently published blog post. The dynamic link library file it's using to infect Windows computers in an ongoing attack on US restaurants would normally be detected by just about any AV program if the file was written to a hard drive. But because the file contents are piped into computer memory using PowerShell, the file wasn't visible to any of the 56 most widely used AV programs, according to a Virus Total query conducted earlier this month.
"FIN7 constantly upgrades their attacks and evasion techniques, thus becoming even more dangerous and unpredictable," Morphisec Vice President of Research and Development Michael Gorelik wrote. "The analysis of this attack shows, how easy it is for them to bypass static, dynamic and behavior based solutions. These attacks pose a severe risk to enterprises."
Anatomy of an infection
To be sure, the attack isn't entirely fileless, since it arrives in a booby-trapped Word document attached to a phishing e-mail. The e-mails are tailored to the person receiving them and contain attachments with names including menu.rtf, Olive Garden.rtf and Chick Fil A Order.rtf. Unlike most other Word-based attacks, however, once the document triggers an infection, the final payload resides only in memory.
The tallest order of the attack is convincing a target to exit Protected View, since Word provides a prominent notice warning of the risks. In the event that the target is tricked into double-clicking on an icon promising to unlock the document contents, however, obfuscated JavaScript copies malicious code into two separate files stored in two separate directories. Then the malicious code in the first file creates a scheduled Windows task that executes the code in the second file one minute later. By breaking the code into two files and delaying the execution, the attack chain bypasses most behavior-analysis protections because the second stage isn't directly triggered by the first stage.
The process then largely repeats, with second-stage JavaScript triggering a first-stage PowerShell process that then performs a second-stage PowerShell process. The latter process injects shellcode that's derived in part using domain name system queries.
"This shellcode iterates over process environment block and looks immediately for dnsapi.dll name (xor 13) and its DnsQueryA function," Gorelik explained. "Basically, FIN7 implemented a shellcode that gets the next stage shellcode using the DNS messaging technique directly from memory. This way they can successfully evade many of the behavior based solutions."
The attack isn't the first to generate PowerShell scripts based on DNS requests. Cisco Systems' Talos Threat Research Group saw something similar in March. FIN7's ongoing campaign against restaurants suggests the technique won't be going away anytime soon.