Cyber Threats & the Increase In Fileless Malware
The InfoSec Consulting Series #16
By Jay Pope
As the name implies, Fileless infections don’t entail files being written or downloaded and executed in the affected machine’s local disks. Instead, they are executed in the system’s memory, or reside in the system’s registry for persistence. In a typical fileless infection, payloads can be injected into the memory of an existing application/software, or by running scripts within a whitelisted application such as PowerShell.
Even if they aren’t file-based (or executable) threats, we know they’re out in the wild due to their notoriety as a technique in targeted attacks. Tell-tale signs of fileless infection are network traces, like command-and-control (C&C) connections, and other malicious code artefacts left behind in the affected machine. Fileless threats, unfortunately, are also readily available in public project repositories, and even in the cybercriminal underground as a product (or service). Fileless infections are also a staple feature in exploit kits such as Angler. For example, the cybercriminal group Lurk used a fileless infection to steal more than $45 million from financial institutions using their own exploit kit.
Malicious PowerShell scripts are a key ingredient to many fileless malware. Windows PowerShell is a built-in tool based on the .NET framework comprising a command-line shell, an interface that lets users access services of the operating system (OS), and a programming language that can be used to create scripts. PowerShell is designed to automate system administration tasks, such as view all USB devices, drives, and services installed in the system, schedule a series of commands and set it in the background, or terminate processes (like Task Manager). PowerShell is also designed to enable administrators to seamlessly manage the configurations of systems and servers as well as the software or services and the environments they run on.
And like any potent tool, PowerShell’s capabilities have drawn the attention of cybercriminals. We’ve already seen how PowerShell was abused—from the Poweliks Trojan downloader that emerged in 2014, the information stealer FAREIT, and banking malware VAWTRAK to ransomware families such as PowerWare and Cerber version 6. Many fileless malware embed malicious PowerShell scripts whose commands are often the ones responsible for downloading and launching or executing the payload.
Why are Attackers Using Powershell?
Abusing PowerShell heightens the risks of exposing systems to a plethora of threats such as ransomware, fileless malware, and malicious code memory injections. This can be exacerbated with:
Scale and scope. PowerShell is a built-in feature in Windows XP and later versions of Windows’ operating systems (OS). Last year, it also became an open-source, cross-platform framework that can be run on Linux.
- Legitimate use. PowerShell is not inherently malicious and is, in fact, a legitimate tool. Its use and abuse can blur the line between it being used to maliciously hack or infect a system, or to accomplish IT/system administration tasks;
- Accessibility. PowerShell scripts are relatively easy to write and run (and learn) for many IT/system administrators, information security professionals, penetration testers, and black hat hackers;
- PowerShell scripts aren’t just easy to write; PowerShell’s flexibility, along with the availability of third-party modules, makes it relatively simple to obfuscate them;
- Capability. PowerShell can virtually access a considerable range of Application Program Interfaces (APIs) to execute important functions such as VirtualAlloc, VirtualProtect, and CreateThread, all of which can be abused by attackers;
PowerShell is restricted by default to mitigate its abuse. Specific PowerShell commands can be executed, for instance, but script files are prevented from running. That doesn’t seem to be putting off hackers though. We have seen several PowerShell script-toting malware employ techniques to bypass PowerShell’s default execution policy, such as running the malicious code as a command line argument.
The Increase in Fileless Malware
How common are fileless, PowerShell script-toting malware becoming? Trend Micro identified over 78,600 malspams, or malware delivered via spam email (detected as W2KM_POWMET and POWLOAD), affecting enterprises from January to February 2017. Both are macro malware downloaders that leverage malicious PowerShell scripts to deliver the payload to the affected system. During the first quarter of 2017, Trend Micro’s sensors were able to monitor PowerShell-related attacks on more than 12,000 unique machines.
In November 2016, attacks employing fileless malware reportedly increased by 13%. In the last quarter of 2016, fileless malware-related attacks surged by 33% compared to the first quarter. Given PowerShell’s popularity among IT/system administrators and its ubiquity in Microsoft operating systems, fileless threats and PowerShell abuse will only continue to gain traction throughout this year as cybercriminals hone their tactics and techniques to better evade traditional security solutions.
Security Measures & Administrator Challenges
There is no silver bullet when it comes to fileless malware, and organisations should practice defence in depth, where multi-layered safeguards are placed to reduce exposure and mitigate damage. But apart from cultivating a security-aware workforce, what actionable countermeasures can organisations do?
Here are some best practices that can help mitigate fileless threats:
1. Apply the latest patches and keep the systems updated. Fileless attacks are known to exploit vulnerabilities in whitelisted applications (which mean they’ve been permitted to run in the system). This allows attackers to embed and execute their malicious scripts or codes by piggybacking on the privileges of the application. A robust patch management policy that balances business productivity and security is recommended. Virtual patching and vulnerability protection mechanisms can also be deployed to shield systems and networks from unknown vulnerabilities, even without a patch.
2. Adopt best practices for securing and using PowerShell. PowerShell has its own logging capability that can be used to further scrutinize suspicious or malicious behaviour within a system. Microsoft also has best practices on how to use PowerShell in operational or cloud environments, or hardening systems via PowerShell commands (i.e. execution policies or setting PowerShell to ConstrainedLanguageMode).
3. IT/system administrators and information security professionals can also consider listing triggers for detection, which can be based on commands known to be used by malicious PowerShell scripts. Threat actors, for instance, often use the “^” symbol to obfuscate their command prompt parameters when invoking PowerShell
- Other triggers for PowerShell script scans that can be considered are:
- Using sensitive PowerShell command-line arguments, such as: ExecutionPolicy Bypass, -Exec Bypass, -ep bypass, -EncodedCommand, -enc
- PowerShell command-line arguments that can be used for aggressive detection, such as: -NonInteractive, -NonI, -NoLogo, -NoProfile, -NoP, -WindowStyle Hidden, -w Hidden
- PowerShell parent processes such as: wscript, MS Office program
- Powershell command-line arguments characteristics like Entropy and Length
- A code snapshot of macro malware that uses “^” for command shell obfuscation
4. Implement the principle of least privilege. Exposure to threats can be further reduced by only granting enough access or privilege for a user to accomplish his task, or an application to be run. This limits the risks and even actual damage that can result from exploits or unauthorised use;
5. Deploy behaviour monitoring mechanisms. Fileless attacks misuse tools like PowerShell to bypass the system’s restrictions. Since fileless malware aren’t written in the disk, they can bypass traditional security solutions that depend on files to detect threats. Mechanisms like application control, where applications are prevented from executing, offer little or limited help in this regard. Additionally, PowerShell is a legitimate tool regularly used by IT/system administrators and information security professionals, so it cannot just be easily blocked by application control. This can be mitigated by deploying a behaviour monitoring mechanism on the endpoint, which helps prevent and limit data leakage and malware infection by monitoring and blocking malicious behaviours and routines associated with malware, as well as unusual modifications to the OS or software/applications, including PowerShell. A good behaviour monitoring system not only looks into an application’s behaviours, but also anomalies in the process chain, like how Explorer launches Command Prompt to invoke a malicious PowerShell script;
6. Enable a custom sandbox. Fileless Trojan downloaders and macro malware typically utilise PowerShell scripts and shellcode to deliver their payloads. IT/system administrators can contain them in a sandbox—a controlled, virtual environment where suspicious files are quarantined for further analysis. The sandbox must be configured to mirror the actual system’s configuration to better identify how a suspicious file would affect the system. A sandbox that can analyse the various routines and behaviours of the malware can help identify the obfuscation or evasion tactics that these threats use;
7. Secure possible points of entry. Fileless malware attack vectors are known to be spam email, malicious websites/URLs, especially if it uses an exploit kit, and vulnerable third-party components like browser plug-ins. Securing these points of entry significantly reduces the system’s exposure to these threats and even stops this malware from getting into the system in the first place. Securing the email gateway and adopting best practices that mitigate email-based threats are recommended. Security mechanisms that can filter and categorise malicious URLs add an extra layer of protection against web-based, fileless threats;
8. Disable unnecessary components. A fileless attack can also come in the form of exploits in vulnerable third-party components like browser plug-ins, or even tools like PowerShell itself. Disabling unneeded or outdated components limit the ways an attacker can breach a system or network. The same restrictions should be applied for tools like PowerShell, which is typically only used by IT/system administrators;
9. Proactively monitor your systems and networks. Fileless, information-stealing malware, for instance, have malicious code that can indicate command and control communications to the attacker’s servers. Employing firewalls as well as intrusion detection and prevention systems will help deter incursion or data exfiltration attempts. This can be complemented by a security mechanism that can actively monitor inbound and outbound network traffic for any suspicious behaviour;
While fileless malware attacks aren’t as visible compared to traditional malware, they can still leave behind indicators of compromise such as code artefacts. IT/system administrators must regularly keep logs and record system activities, whether in applications, registry, and system or network events, and ensure they are safe from modification. Not only do they aid in incident response and remediation; these logs also help security researchers better understand the threat.
In the face of this fast-moving threat landscape, what steps can security management take? It’s important to determine what information the business holds – in terms of personal information, GDPR requires you to do this anyway – but also which systems are crucial to operating and generating profits.
Once you know what needs protecting, you can start to look at cyber security strategy. How are systems protected and how is that protection tested? Are levels of spending on cyber security adequate? Does the business have the appropriate skills in-house or is it reliant on a third-party service provider? How exposed are you to the public cloud and what’s the policy on shadow IT and allowing staff to use their own devices?
It’s important to look beyond the boundaries of the organisation too. Digital transformation projects have brought about increasing levels of integration between suppliers and customer systems. You may be confident that your data is safe on your systems, but can you say the same of the third-parties you’re sharing it with? Do you have appropriate flow down of security obligations in your third-party contracts and SLAs?
You then need to consider how you would respond if a breach occurred. Again, GDPR rears its head as it imposes certain obligations, but the business response needs to go beyond that. It’s crucial to recognise that a data breach is not solely an IT problem. It has implications for PR, legal, HR and other areas – indeed it could impact the entire business. This, in turn, feeds into disaster planning, which is no longer just about the risk of power outages of floods. Businesses are also increasingly looking at insuring themselves against the risks posed by a major cyber-attack.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.