2018-08-05

Fileless malware penetrates conventional virus detection

Definition

Many traditional security systems are based on detecting malware files, but if there is no malware file involved, these systems are rendered useless, making attacks very hard to detect. PowerShell provides full access to Microsoft component object model (COM) and Microsoft Windows management instrumentation (WMI), making it a perfect tool for launching an attack. According to McAfee researchers, one particular fileless threat, dubbed CactusTorch, has grown rapidly and can execute custom shellcode on Windows systems.

Brief Description of Attack Vector

Your sensitive server uses trusted .NET library (Windows Store, Google Play, etc.) and downloads an assembly over Microsoft Component Object Model. The assembly is smallest unit to deploy and application and it does not write any part on the hard drive, so conventional file scanners cannot detect the infection. Since these attacks are launched trough trusted executables, they are hard to detect.

The usage of these fileless infiltrations has been this far:

  • CactusTorch was originally developed to help ethical security testing but since it is open source, it has been used to gain runtime access of computers with over 30 variants for example ransom purposes.
  • PowerGhost hijacks corporate computing resources to mine cryptocurrency

Recommendation for Defence

The following general advice applies:

  • Enterprise should have their own app stored, .NET libraries and MS management hubs to prevent man-in-the-middle attacks.
  • Everyone should have runtime virus detection besides the conventional file scanning.
  • Firewall should block all unidentified connections to prevent the command and control traffic.

References

1. https://www.computerweekly.com/news/252445706/Fileless-malware-a-growing-trend-warns-McAfee?asrc=EM_EDA_98239181&utm_medium=EM&utm_source=EDA&utm_campaign=20180730_How%20F1%20and%20others%20are%20moving%20beyond%20descriptive%20analytics
2. https://securingtomorrow.mcafee.com/mcafee-labs/cactustorch-fileless-threat-abuses-net-to-infect-victims/
3.https://www.computerweekly.com/news/252445642/Brace-for-PowerGhost-cryptominer-warns-Kaspersky-Lab

No comments:

Post a Comment