Typical anti-malware software scans hard drives in search of malicious files, and then flags them for removal. That strategy breaks down, though, when there’s no file to find on the system in the first place. And that’s exactly how an increasingly popular type of attack has stymied the defenses of dozens of banks around the world.
So-called fileless malware avoids detection by hiding its payload in secluded spots, like a computer’s random-access memory or kernel, meaning it doesn’t depend on hard drive files to run. The technique first surfaced a couple of years ago, as part of a sophisticated nation-state reconnaissance attack, but has experienced a recent surge in popularity. It’s also not just hitting high-priority targets; research released by Kaspersky Lab on Wednesday found that fileless malware infected more than 140 financial institutions, government organizations, and telecom companies across 40 countries.
Kaspersky itself may not have found it had a bank not come to the security firm after discovering malware running in secret in the memory of one of its domain controllers (a server on a Windows network that handles security authentication queries). The attack was recording system administrator credentials so the hackers could move deeper into the network, gather more privileged credentials, and eventually withdraw money from ATMs.
What makes the attack so insidious is that it inhabits parts of the computer architecture that are difficult for normal users to even navigate to and access, much less interact with. While it’s possible to eliminate the threat, many organizations aren’t even focused on spotting it in the first place yet.
That’s unfortunate, because it’s also seen a dramatic spike in popularity. In a December report, the endpoint security firm Carbon Black found that the rate of fileless malware attacks among its customers had jumped from three percent of the company’s total malware detections at the beginning of 2016 to 13 percent in November.
“I would say this is becoming more of a checkbox for attackers’ toolkits,” says Greg Linares, a security researcher who specializes in threat intelligence and reverse engineering. Just one example: Hackers can use administrative operating system tools, like the Windows PowerShell framework, to covertly deposit the malware into a computer’s RAM. More than 70 percent of the infections Kaspersky detected utilized malicious PowerShell scripts.
With increased use comes increased awareness, though, wareness should hopefully spur companies to take preemptive measures. “Security teams could monitor for the unexpected creation of services on their systems, watch for unexpected tunneling traffic within their network, attempt to observe outbound traffic, and disable the use of PowerShell on their networks if it is unused,” Kurt Baumgartner, a principal security researcher at Kaspersky Lab. It helps to watch activity coming into and out of a network instead of just checking the files stored on it. He emphasizes, though, that even as threats evolve, it’s still crucial to take foundational security precautions, like splitting different portions of a network into subnetworks that are more efficient and easier to defend.
Between fileless malware and the increasing popularity of ransomware it feels like malware has morphed into a new phase. (There’s even fileless ransomware.) That’s not cause for despair, though; it’s just all the more reason to keep up with the evolving landscape, and not rely on outdated tools. And now, looking for intruders where you least expect them.
Post a Comment