Fileless malware a growing trend, warns McAfee

fileless malware that relies on system tools such as Microsoft PowerShell are growing in popularity because they enable attackers to access Windows features without being detected.

Many traditional security systems are based on detecting malware files, but if there is no malware file involved, these systems are rendered useless, making attacks very hard to detect.

PowerShell provides full access to Microsoft Component Object Model (COM) and Microsoft Windows management instrumentation (WMI), making it a perfect tool for launching an attack.

According to McAfee researchers, one particular fileless threat, dubbed CactusTorch, has grown rapidy and can execute custom shellcode on Windows systems.

The researchers have discovered more than 30 variants of CactusTorch, ascribing the attack technique’s rapid adoption rate to its success and ability to evade detection.

CactusTorch uses the DotNetToJScript technique, which loads and executes malicious .NET assemblies straight from memory, wrote McAfee security researcher Debasish Mandal in a blog post.

“These assemblies are the smallest unit of deployment of an application,” he said. “As with other fileless attack techniques, DotNetToJScript does not write any part of the malicious .NET assembly on a computer’s hard drive, so traditional file scanners fail to detect these attacks.”

This type of attack abuses trusted .NET libraries exposed over COM, and in this class of attack the malicious .NET assembly (executable) is never written/dropped to disk. The entire process’s loading and execution of malicious binary happens in memory at run time. The technique therefore bypasses most traditional file scanner-based detection, researchers said.

Researchers at Kaspersky Lab recently warned of new fileless malware designed to hijack corporate computing resources to mine cryptocurrency for cyber criminals.

The malware, dubbed PowerGhost, uses multiple fileless techniques to gain a foothold in corporate networks, which means the miner does not store its body directly onto a disk, increasing the complexity of its detection and remediation, said the Kaspersky Lab researchers.

“During infection, a one-line PowerShell script is run that downloads the miner’s body and immediately launches it without writing it to the hard drive,” they said in a blog post.

The growth of the “fileless” threat category was evidenced in McAfee’s March 2018 threat report, which noted a fourfold increase in attacks using PowerShell scripts in 2017.

Many fileless malware campaigns were discovered that used PowerShell to launch attacks in memory to create a backdoor into a system. These surged by 432% in 2017 compared with the previous year and by 267% in the last three months of the year alone.

Campaign Gold Dragon stands out as an example, said McAfee researchers, because it was customised for the Winter Olympics attack, it persisted on infected systems, and has shown up in subsequent attacks, notably on hacked servers in Chile just over a week after the Olympics incident.

According to the Ponemon Institute’s State of endpoint security risk report, fileless attacks are estimated to be 10 times more likely to succeed than file-based attacks.

This type of attack takes advantage of the trust factor between security software and genuine, signed Windows applications.

Because this type of attack is launched through reputable, trusted executables, traditional whitelisting-based detection systems fail drastically, said the researchers.

In a recent Computer Weekly article about fileless attacks, Greg Temm, chief information risk officer for the Financial Services – Information Sharing and Analysis Center (FS-ISAC), noted that fileless malware is not totally undetectable.

“However, you need to know what to look for to reduce your chances of getting infected or how to limit the spread of the exposure, if your network is compromised,” he said.

General best practices in maintaining your network and optimising security include monitoring logs from various devices on the network, such as firewalls, said Temm.

“This type of monitoring should be done consistently to detect unauthorised traffic at various points throughout the day, such as during heavy workloads or off-peak hours,” he said. “This will not only give you a better understanding of the operating flow of the network, but will also help to detect abnormal network activity, which is a tell-tale sign of infection.”