Fileless malware targeting US restaurants

tryfon

Level 2
Thread author
Verified
May 13, 2017
76
Researchers have detected a brazen attack on restaurants across the United States that uses a relatively new technique to keep its malware undetected by virtually all antivirus products on the market.

Malicious code used in so-called fileless attacks resides almost entirely in computer memory, a feat that prevents it from leaving the kinds of traces that are spotted by traditional antivirus scanners. Once the sole province of state-sponsored spies casing the highest value targets, the in-memory techniques are becoming increasingly common in financially motivated hack attacks. They typically make use of commonly used administrative and security-testing tools such as PowerShell, Metasploit, and Mimikatz, which attackers use to feed malicious commands to targeted computers.

FIN7, an established hacking group with ties to the Carbanak Gang, is among the converts to this new technique, researchers from security firm Morphisec reported in a recently published blog post. The dynamic link library file it's using to infect Windows computers in an ongoing attack on US restaurants would normally be detected by just about any AV program if the file was written to a hard drive. But because the file contents are piped into computer memory using PowerShell, the file wasn't visible to any of the 56 most widely used AV programs, according to a Virus Total query conducted earlier this month.

"FIN7 constantly upgrades their attacks and evasion techniques, thus becoming even more dangerous and unpredictable," Morphisec Vice President of Research and Development Michael Gorelik wrote. "The analysis of this attack shows, how easy it is for them to bypass static, dynamic and behavior based solutions. These attacks pose a severe risk to enterprises."

Anatomy of an infection
To be sure, the attack isn't entirely fileless, since it arrives in a booby-trapped Word document attached to a phishing e-mail. The e-mails are tailored to the person receiving them and contain attachments with names including menu.rtf, Olive Garden.rtf and Chick Fil A Order.rtf. Unlike most other Word-based attacks, however, once the document triggers an infection, the final payload resides only in memory.

The tallest order of the attack is convincing a target to exit Protected View, since Word provides a prominent notice warning of the risks. In the event that the target is tricked into double-clicking on an icon promising to unlock the document contents, however, obfuscated JavaScript copies malicious code into two separate files stored in two separate directories. Then the malicious code in the first file creates a scheduled Windows task that executes the code in the second file one minute later. By breaking the code into two files and delaying the execution, the attack chain bypasses most behavior-analysis protections because the second stage isn't directly triggered by the first stage.

The process then largely repeats, with second-stage JavaScript triggering a first-stage PowerShell process that then performs a second-stage PowerShell process. The latter process injects shellcode that's derived in part using domain name system queries.

"This shellcode iterates over process environment block and looks immediately for dnsapi.dll name (xor 13) and its DnsQueryA function," Gorelik explained. "Basically, FIN7 implemented a shellcode that gets the next stage shellcode using the DNS messaging technique directly from memory. This way they can successfully evade many of the behavior based solutions."

The attack isn't the first to generate PowerShell scripts based on DNS requests. Cisco Systems' Talos Threat Research Group saw something similar in March. FIN7's ongoing campaign against restaurants suggests the technique won't be going away anytime soon.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Looks like this malware would be a good one to test to see which a-v/security programs would block it from running. Sounds pretty nasty but shouldn't anything monitoring PowerShell/command-lines do the job?
 

Dean Winchestere

Level 2
Verified
Mar 9, 2017
50
Okay, I am not a software developer, (though I am in the process of learning) so I could be shooting in the dark but why not have programs as a requirement of being "certified and signed" have some type of security mechanism that forces it to terminate if there are changes to the code in the memory? Such as each program knows how it will behave and if it behaves abnormally alert the user, or terminate? Use some kind of method similar to MD5. I know that sounds a bit off, but I hope I am conveying the idea correctly even if I am wrong in how I describe the idea. I know that programs like appguard and voodooshield help mitigate this.

On another note: wouldn't heuristics be able to compare the behavior of apps over a large cloud of users ( like kapersky and other venders) for programs and continuously monitor them as a method of detection? I thought AV does that now, hoping someone who is more into coding could elaborate?

Perhaps we could come up with some knowledge how to mitigate the threat with existing AV and security suites available..

In any case, i almost think voodooshield and appguard are now should be required for protection even for the standard user, combined with AV tool like kapersky application control being adjusted as per the kapersky threads.

As a IT professional, I put at minimum voodoo shield free with existing AV even if its avast because the user cannot afford anything better.
 
Last edited:

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Okay, I am not a software developer, (though I am in the process of learning) so I could be shooting in the dark but why not have programs as a requirement of being "certified and signed" have some type of security mechanism that forces it to terminate if there are changes to the code in the memory?

Not sure it would be exactly this, but don't you think things will eventually be this way to some extent? If a certification requires certain standards to be upheld that apply universally to the cert process, there should be even more credibility for applications signed by a genuine cert source. Universal/stringent standards would be a good thing. Nonetheless, I feel like the certification process as it is is powerful.

I can kind of see a time in the future where signed programming might be all downloaded from a single source (even if it's not 100% apparent) with independent hash verification on the downloading machine. Honestly, there will still of course be unsigned software, as I feel certain this would be expensive when combined with stringent code requirements, but it would help with attempts to copycat of high pop software or with hacked software like the pirated games containing malicious code and so on. Could also be valuable in enforcing piracy laws.
 

Dean Winchestere

Level 2
Verified
Mar 9, 2017
50
I like your idea. Although it would be a boon in regards of costs, Think of google play, and the fact that Android is (mostly) malware free. Most malware is root exploits or apps not from play store. I understand that obviously mobile is way different then PC/server workstations, but the lines are being blurred so much, would a jump to that model in PC's be all that bad now?

The only bad thing could be giving control to 1 company (google) for instance and that could undermine privacy, and give the governments full control of our digital lives.

Again we trade privacy for security. There is just no winning this war, except by being self educated and being ahead of the bad guys.

I swear this is like a world war, but in a digital sense. We got the terrorists (malware) The oppressive governments ( backdoors in encryption, control NSA spying) and then the people (us) who ultimately suffer the most.

When will this ever end? I suppose lawyers exist for a reason if not for almost the same reason as security analysts. Its a never ending nightmare.

And now we got crypto currency, etherium and bitcoin etc. Singapore is now using blockchain for their fiat. I foresee some serious new malware coming soon far worse then what we see now.
 
  • Like
Reactions: AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Although it would be a boon in regards of costs, Think of google play, and the fact that Android is (mostly) malware free. Most malware is root exploits or apps not from play store.

Maybe there could two classifications of certification such as standard and then enterprise for high pop applications like MS Office and Adobe products and other big money software apps. In this case, seems to me as though proper pressure could be applied to developers of well known applications to step up and pay the high premium for enterprise certification. Also, a normal verified certification today could still be quite a powerful standard and would surely continue to carry weight. At any rate, maybe this would help with whitelisting and then also add some leverage to security writers. If the PCs of an enterprise could easily be configured to block apps that aren't certified for enterprises, surely it would be very unlikely there would be any issue on a standard PC in a network.

In terms of combining this with centralized hosting and verified local hash comparison, this seems basically unbeatable to me. Very little confusion about what is being downloaded and then the added flexibility of a secondary tier of certification.

When will this ever end? I suppose lawyers exist for a reason if not for almost the same reason as security analysts. Its a never ending nightmare.

Seems like it sometimes. At some point, surely the security providers like Kaspersky, Avast, Emsisoft and so on will see the benefit of working together to defend their collective position. Maybe that could be an impetus for changes along the lines you have mentioned or others such as what I have suggested.
 

soccer97

Level 11
Verified
May 22, 2014
517
In theory - if the malware is in memory - couldn't the stores shut down everything (literally, shutdown all terminals and worst case power down the server) and unplug them for a few hours during downtime or when the store is closed if it is a local infection? On reboot - if it resides strictly in RAM - would it be fair to say it would be cleared if everything was rebooted?

I imagine this may be oversimplifying everything.
 
  • Like
Reactions: AtlBo

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Soccer- By rebooting the system everything will be then cleared. But the issue that remains is that the malware has already set itself up for pulse persistence by means of Scheduled Tasks- so on reboot the malware will wait for the coded time period (in this case 25 minutes) then re-initiate itself (and it will check that it's still running during a session at this same time period).

The detection trick here is to detect and stop the initial text file (Yes, the initial spawn is JScript code in a txt file). If this is blocked the malware can't do anything further. If it can proceed you are fairly well screwed.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Soccer- By rebooting the system everything will be then cleared. But the issue that remains is that the malware has already set itself up for pulse persistence by means of Scheduled Tasks- so on reboot the malware will wait for the coded time period (in this case 25 minutes) then re-initiate itself (and it will check that it's still running during a session at this same time period).

The detection trick here is to detect and stop the initial text file (Yes, the initial spawn is JScript code in a txt file). If this is blocked the malware can't do anything further. If it can proceed you are fairly well screwed.

Cruelsister, in general, If you know a malware will inject in a specific file in memory, how can you detect this injection-be sure it happened? I hope this is not a "dr. Watson" question...
Thank you
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Sometimes these fileless malware use already implemented techniques.
In case it's running javascript code, it can use a few methods:
The script can be stored in a registry key in obfuscated way, by running the program "powershell.exe" and as parameter a variable that contains the code to perform certain operations.

For example, the array can be set with machine code instructions by calling the VirtualProtect API and, if the operation is successful, then it creates a thread (CreateThread), where the EntryPoint of the thread is the same array.
If, in the previous case, VirtualProtect fails, then it can allocate a memory buffer with VirtualAlloc, copying the array on the allocated buffer and creating a thread (CreateThread), where the entrypoint points to the memory address of the allocated buffer.
The malware thread can retrieve API addresses like: LoadLibrary, GetProcAddress, VirtualAlloc, RegOpenkeyEx, RegQueryValueEx
and, after a series of operations to rebuild the executable file in memory, it can run its code through the call of its EntryPoint.

So fileless samples can use multiple layers of obfuscation (JavaScript, PowerShell, machine code).
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Peter- You are 100% correct (except it should be written 100 times). But wouldn't it be nice to use a solution that will catch you when you fall?
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Sometimes these fileless malware use already implemented techniques.
In case it's running javascript code, it can use a few methods:
The script can be stored in a registry key in obfuscated way, by running the program "powershell.exe" and as parameter a variable that contains the code to perform certain operations.

For example, the array can be set with machine code instructions by calling the VirtualProtect API and, if the operation is successful, then it creates a thread (CreateThread), where the EntryPoint of the thread is the same array.
If, in the previous case, VirtualProtect fails, then it can allocate a memory buffer with VirtualAlloc, copying the array on the allocated buffer and creating a thread (CreateThread), where the entrypoint points to the memory address of the allocated buffer.
The malware thread can retrieve API addresses like: LoadLibrary, GetProcAddress, VirtualAlloc, RegOpenkeyEx, RegQueryValueEx
and, after a series of operations to rebuild the executable file in memory, it can run its code through the call of its EntryPoint.

So fileless samples can use multiple layers of obfuscation (JavaScript, PowerShell, machine code).

Thank you!

All,

My question was not how to avoid them but how to detect if a file in memory is original or if it was injected/tampered...e.g, a user could think process explorer would help, check the file again on VT via PE and think all is fine but unfortunately process explorer wouldn't help here.
 
Last edited:

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Thank you!

All,

My question was not how to avoid them but how to detect if a file in memory is original or if it was injected/tampered...e.g, a user could think process explorer would help, check the file again on VT via PE and think all is fine but unfortunately process explorer wouldn't help here.
From what I understand in this specific case, and summarizing.

The attack vector is a Word document sent with a phishing email containing an OLE object that initiates the execution of a Javascript code.
At this point the attack begins, by providing additional Javascript code on the disk, but hidden inside a TXT file. Its execution is delayed through the schedule of a Windows Task, in order not to hide the link between the two operations and avoiding the antivirus will be aware of the infection.

The rest of the attack is carried out through code that resides only in memory, using DNS query as a tool to generate obfuscated PowerShell scripts, hiding their nature.
It seems the used code uses highly effective obfuscation techniques, such as eliminating the MZ prefix in some parts of the shellcode, so the DLL is loaded into memory avoiding the controls of the antivirus.

@Solarquest, seeing the complexity of this malware, I think it is not possible to understand if a file in memory is original or it has been injected, at least according to what I understood.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
From what I understand in this specific case, and summarizing.

The attack vector is a Word document sent with a phishing email containing an OLE object that initiates the execution of a Javascript code.
At this point the attack begins, by providing additional Javascript code on the disk, but hidden inside a TXT file. Its execution is delayed through the schedule of a Windows Task, in order not to hide the link between the two operations and avoiding the antivirus will be aware of the infection.

The rest of the attack is carried out through code that resides only in memory, using DNS query as a tool to generate obfuscated PowerShell scripts, hiding their nature.
It seems the used code uses highly effective obfuscation techniques, such as eliminating the MZ prefix in some parts of the shellcode, so the DLL is loaded into memory avoiding the controls of the antivirus.

@Solarquest, seeing the complexity of this malware, I think it is not possible to understand if a file in memory is original or it has been injected, at least according to what I understood.

@Winter Soldier,


If you know in advance a MW injects a specific file, e.g explorer.exe or another file, can you find out if it injected it (or if e.g the AV really blocked it)?
 
Last edited:

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
@Winter Soldier,


If you know in advance a MW injects a specific file, e.g explorer.exe or another file, can you find out if it injected it (or if e.g the AV really blocked it)?
In a normal scenario you can execute a remote thread from a process to another process and the remote thread will reside in the virtual address space of the remote process.
You can consider these Windows functions: VirtualAllocEx and WriteProcessMemory.
The first function reserves a memory area within the virtual address space of a specific process, and the second function writes on a memory area of a specified process.
Essentially, just using these functions, you can execute custom code on a remote process (DLL Injection) so you can execute a custom code into another process by forcing it to load a DLL.

In this and similar cases probably Emsi BB for example, will detect the code injection attempt by blocking it and by indicating the processes in question so you can be aware of that.

But in case of the fileless sample above, according to the analysis, if you try to extract the DLL in question before it is modified, posting it on VirusTotal, most of the antivirus identifies it (correctly) as a CobaltStrike Meterpreter.
Once modified, the DLL doesn't trigger any detection.

Therefore, it is difficult to give a generic answer, in my opinion; malware type can change usual assumptions.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top