Cybercrime and significant breaches have plagued various sectors in the past 5 years in financial, retail, healthcare, entertainment, and government. For many, 2016 will go down as the year that computer hackers affected the outcome of the US presidential election.
A less known cybercrime in 2016 that surged in popularity is one where criminals use a fileless malware approach to attack a computer’s memory instead of a hard drive. In the last quarter of 2016, security firm, Carbon Black, reported a rise of 33% in severe non-malware (fileless) attacks. In an interview with chief strategy officer for Symantec, Brian Kenyon, says “fileless infections are difficult to detect and often elude intrusion prevention and antivirus programs.” Fileless malware attacks are expected to rise in popularity in 2017, especially in financial institutions.
What is malware?
Malware or malicious software is harmful or disruptive software that accesses a user’s computer or device. This is traditionally how attacks occur. Types of malware include spyware, adware, phishing, viruses, trojan horses, worms, rootkits and ransomware. Malware infects devices through the Internet and via email. The remedy involves using a malware removal tool or getting help from professionals. Malware can often be detected and resolved by isolating and removing infected files.
What is non-malware?
According Carbon Black, a non-malware attack occurs when an attacker uses existing software, approved applications and authorized protocols to carry out malicious activities. Non-malware attacks can gain control of computers without downloading any malicious files. Other names for non-malware attacks are fileless, memory-based or “living-off-the-land” attacks. Fileless malware is a variant of malicious software because it exists in a computer’s memory (e.g. in RAM) and does not write to any part of a computer’s files.
Non-malware attacks allow the thief to take control of vulnerable software that a user would use every day (e.g. like Web browsers, Office-suite apps). Attackers can also gain access to operating system tools like PowerShell or Windows Management Instrumentation – WMI. These tools give them overarching rights and privileges to carry out commands across the network and steal valuable data.
Examples of non-malware attacks
The security firm, Kaspersky Lab recently discovered fileless malware infected more than 140 financial, telecom and government organizations in 40 countries. The problem with this type of malware is that it resides in the computer architecture that users do not see or have access to. Many organizations are unaware how to search or spot such attacks. In one case, attackers without a bank’s knowledge used legitimate tools like Meterpreter, to transfer $200 payments per minute to a money-mule account.
Security firm, Carbon Black, highlights a simple example of a non-malware attack.
1) A user visits a website with Firefox.
2) On the website, the Flash software is loaded.
3) Flash invokes PowerShell, an operating system tool that is part of every Windows computer. It sends instructions by commands that resides in memory.
4) PowerShell connects to a stealth command and control server. It downloads a malicious PowerShell script. The script or code hides in memory and invisibly steals passwords and other sensitive data from system administrators. This information is sent to the attacker. At no point is malware downloaded to the infected computer.
Attackers then obtain passwords using standard utilities like Microsoft’s command-line scripting utility NETSH. The tool sends compromised passwords from the victim’s computer to the attacker’s command and control server. At this stage, the attacker gains remote access to the computers. Since the non-malware attack resides in RAM, when a victim’s computer is rebooted, all traces of an attack disappear. This makes it difficult to detect, investigate who and where the attack originated.
Detection and Prevention
Gartner security analyst Avivah Litan in an interview says fileless malware attacks are becoming more common and evade most of the endpoint protection and detection tools available on the market. Litan advises organizations take the following steps to prevent or detect fileless malware attacks.
1. Patch systems often to avoid common vulnerabilities
2. Limit the use of system administrative tools like Microsoft PowerShell to a few endpoint computers and users. Access to such tools should be based on reasonable need.
3. Invest in products from reputable companies that are adding protection against in-memory attacks. Industry leaders like Symantec, Trend and McAfee are adding protection against fileless malware.
4. Use application controls on endpoint computers. This ensures that only an organization’s approved applications will be used.
2017 is expected to see a jump in fileless malware attacks globally. Criminals are targeting financial institutions because detection and protection remain difficult. IT professionals in organizations and cyber security firms will need to be vigilant and work closely to block such attacks.