- Jul 22, 2014
- 2,525
The future of client-side malware attacks is fileless. And it would appear the future has arrived with a growing number of attacks using fileless or in-memory malware to pose a threat to business that’s increasingly difficult to neutralize.
“There has been an unequivocal uptick in the use of fileless malware as a threat vector,” said Kevin Epstein, vice president of threat operations at Proofpoint. “We have seen more fileless malware since the beginning of 2017 than we saw in all of 2016 and 2015 combined.”
As the name suggests, fileless malware infects targeted computers leaving behind no artifacts on the local hard drive, making it easy to sidestep traditional signature-based security and forensics tools. During the past year, fileless attacks have been on the rise, and by Proofpoint’s estimates, pose a larger risk to businesses than commodity malware attacks. Epstein said fileless attacks will soon overtake traditional write-to-disk attacks if they haven’t already.
The technique, where attackers hide their activities in a computer’s random-access memory and use a native Windows tools such as PowerShell and Windows Management Instrumentation (WMI), isn’t new. Sophisticated attacks advanced adversaries were first spotted using fileless malware several years ago (PDF). But since then, there has been a steady rise in the numbers of attacks, according to experts.
Last June, fileless attacks were suspected in the hack the Democratic National Committee as a way to penetrate computer systems, according to Carbon Black. Earlier this year, Kasperky Lab researchers reported cybercriminals used fileless, memory-based malware to carry out attacks on nearly 140 enterprises worldwide. And just over the last few months there have been reports of dozens of fileless malware attacks.
Conventional malware isn’t going anywhere anytime soon, said Edmund Brumaghin, threat researcher with Cisco Talos. But he said, the increase in fileless attacks isn’t seeing a corresponding response on the defensive side because only a minority of organizations are running memory-analysis tools. “From the perspective of an attacker, that’s opportunity to take advantage of while they still can,” Brumaghin said.
No Files Left Behind
.....
Fileless is The Future
Concerns have triggered numerous warnings from cybersecurity organizations including one in October from the Department of Homeland Security and one in March from the New Jersey Cybersecurity and Communications Integration Cell. The NJCCIC cautioned:
“The NJCCIC assesses with high confidence that fileless and ‘non-malware’ intrusion tactics pose high risk to organizations, both public and private, and will be increasingly employed by capable threat actors intent on stealing data or establishing persistence on networks to support ongoing espionage objectives or to enable future acts of sabotage.”
When it comes to attribution, a number of threat actors’ names are commonly associated with these types of attacks. Cybercriminal and nation-state operations such as Carbanak, Duqu and FIN7 have each been suspected in memory-based malware attacks.
Last month, researchers at Morphisec released a report stating FIN7 was behind several recent incidents. One was a high-profile attack that used fileless malware targeting professionals affiliated with United States Securities and Exchange Commission filings. Kaspersky Lab said attackers who targeted 140 banks and enterprises were likely connected to the GCMAN and Carbanak groups. But, Epstein said, a wide range of less organized and less sophisticated threat actors are now leveraging fileless malware attacks.
Mitigation against these threats will take new tools and a shift in end-user awareness, Brumaghin said. For starters, security experts say disabling the use of PowerShell on networks is a good start. They also recommend monitoring more closely outbound traffic and tracing it back to applications making those requests. If Windows Notepad or Calculator are making network connections, you might have a problem, experts say.
“From the malware author side, we are expecting to see more advanced attacks,” said Mordechai Guri, chief security officer at Morphisec. “We will see more advanced obfuscation, polymorphism and injection techniques, that evade such a potential monitoring and detection.”
“There has been an unequivocal uptick in the use of fileless malware as a threat vector,” said Kevin Epstein, vice president of threat operations at Proofpoint. “We have seen more fileless malware since the beginning of 2017 than we saw in all of 2016 and 2015 combined.”
As the name suggests, fileless malware infects targeted computers leaving behind no artifacts on the local hard drive, making it easy to sidestep traditional signature-based security and forensics tools. During the past year, fileless attacks have been on the rise, and by Proofpoint’s estimates, pose a larger risk to businesses than commodity malware attacks. Epstein said fileless attacks will soon overtake traditional write-to-disk attacks if they haven’t already.
The technique, where attackers hide their activities in a computer’s random-access memory and use a native Windows tools such as PowerShell and Windows Management Instrumentation (WMI), isn’t new. Sophisticated attacks advanced adversaries were first spotted using fileless malware several years ago (PDF). But since then, there has been a steady rise in the numbers of attacks, according to experts.
Last June, fileless attacks were suspected in the hack the Democratic National Committee as a way to penetrate computer systems, according to Carbon Black. Earlier this year, Kasperky Lab researchers reported cybercriminals used fileless, memory-based malware to carry out attacks on nearly 140 enterprises worldwide. And just over the last few months there have been reports of dozens of fileless malware attacks.
Conventional malware isn’t going anywhere anytime soon, said Edmund Brumaghin, threat researcher with Cisco Talos. But he said, the increase in fileless attacks isn’t seeing a corresponding response on the defensive side because only a minority of organizations are running memory-analysis tools. “From the perspective of an attacker, that’s opportunity to take advantage of while they still can,” Brumaghin said.
No Files Left Behind
.....
Fileless is The Future
Concerns have triggered numerous warnings from cybersecurity organizations including one in October from the Department of Homeland Security and one in March from the New Jersey Cybersecurity and Communications Integration Cell. The NJCCIC cautioned:
“The NJCCIC assesses with high confidence that fileless and ‘non-malware’ intrusion tactics pose high risk to organizations, both public and private, and will be increasingly employed by capable threat actors intent on stealing data or establishing persistence on networks to support ongoing espionage objectives or to enable future acts of sabotage.”
When it comes to attribution, a number of threat actors’ names are commonly associated with these types of attacks. Cybercriminal and nation-state operations such as Carbanak, Duqu and FIN7 have each been suspected in memory-based malware attacks.
Last month, researchers at Morphisec released a report stating FIN7 was behind several recent incidents. One was a high-profile attack that used fileless malware targeting professionals affiliated with United States Securities and Exchange Commission filings. Kaspersky Lab said attackers who targeted 140 banks and enterprises were likely connected to the GCMAN and Carbanak groups. But, Epstein said, a wide range of less organized and less sophisticated threat actors are now leveraging fileless malware attacks.
Mitigation against these threats will take new tools and a shift in end-user awareness, Brumaghin said. For starters, security experts say disabling the use of PowerShell on networks is a good start. They also recommend monitoring more closely outbound traffic and tracing it back to applications making those requests. If Windows Notepad or Calculator are making network connections, you might have a problem, experts say.
“From the malware author side, we are expecting to see more advanced attacks,” said Mordechai Guri, chief security officer at Morphisec. “We will see more advanced obfuscation, polymorphism and injection techniques, that evade such a potential monitoring and detection.”
