For some years now, WatchGuard has been generating a report on the security situation detected on the Internet. Following the acquisition of Panda, this report has become even more important, as it contains endpoint detections, allowing for a broader security spectrum that provides more detail on the types of incidents that have occurred on the Internet.
Hence, the latest report has shown a fairly significant increase in fileless malware attacks, known as fileless malware, which we have been talking about for a few years now due to the danger they entail and their difficult detection, something that criminals are evidently taking advantage of, seeing an increase of around 900% in the use of this attack technique if we compare the samples reported between 2019 and 2020.
This problem is almost as old as operating systems. The first example of this type of threat was in 1987 with the so-called Lehigh Virus, which got its name because it was developed at Lehigh University during computer science tests. However, it did not damage the system and was removed with the restart of the computer, as it simply stayed in the RAM and with each execution or call of COMMAND.COM it increased a counter that consumed the memory and therefore made the processes in the machine more and more slow.
But this development achieved a milestone in terms of attacks, which always had the premise of being able to host the malicious segment to be executed on the hard disk, something that exposes any antivirus system to detect the malicious characteristics of the software. In this way, by not having to reach the hard disk, but only being in the memory, it gave them an advantage in terms of not being detected but left them very little margin for action in the development of sophisticated attacks that required extensive code.
How Are These Attacks Carried Out?
Nowadays, toolkits such as PowerSploit and CobaltStrike have allowed criminals to develop much more advanced and precise fileless malware without having to know the full details of how the system works. An example of this is how PowerSploit can inject a DLL with a simple command, generating sophisticated and simple DLL hijacking attacks.
This has been extensively analysed in the MITRE ATT&CK matrices, which even has an analysis of PowerSploit, so that defence teams know in advance what capabilities this kit gives the attacker and in which specific technique this type of attack is used.
Even within our team, a framework was developed that allows corporate attack and defence teams to carry out investigations and detection of possible security breaches using UAC-A-Mola, which has several types of automations to bypass user authentication controls on Windows systems, mainly using fileless attacks.
How Can We Defend Ourselves?
Regarding the defensive side, the advances that Windows has achieved to contain this threat are increasingly useful and require less complex deployments within network schemes in organisations, as we have discussed on previous occasions in our blog, the capabilities that have been achieved with AMSI are undoubtedly a fundamental complement to achieve protection against the imminent increase in fileless attacks.
However, in most organisations the controls provided by this native operating system tool are not implemented, so that any incoming flow could be analysed and any anomalies be detected. An example of the capabilities provided by AMSI are those we have achieved with the AMSIext browser extension, which provides a connection between the browser and AMSI, so that all potential scripts contained in a website are analysed by this engine, detecting any possible anomaly even if the hard disk is not touched in its execution.
Another way typically used by criminals to execute fileless attacks is to combine this attack with the execution of macros in office documents, which allow the use of macro programming capabilities to download and assemble malicious code into memory, delaying detection by traditional anti-virus systems and making detection complex for endpoint systems.
Attacks such as those generated by IcedID, show how this technique is very beneficial for attackers and integrates the power of fileless within the techniques, using powershell as a tool for downloading and installing the malicious DLLs, making their actions almost undetectable by antivirus, as seen in the VirusTotal analysis image.
Using our DIARIO tool, we isolate these macros for analysis and detection of malicious processes, so that they can also be integrated into the flow of analysis that should be done on the files that are received by an organisation in order to mitigate this type of attack. Continuing with the analysis of IcedID, we can see that the extraction and analysis of the macros made with DIARIO, indicate that they are suspicious of malware and show us the three macros used for that purpose.
As can be seen, although the increase in these attacks is exponential, the effectiveness of the attacks can be mitigated with several actions:
- The implementation of appropriate controls at all network terminals.
- The integration of systems’ own tools with extensions, or developments that make use of these capabilities without the need for manual implementations.
- Proper training and awareness of the personnel on how to proceed to ensure that these tools are effective in detections and are not missed due to poor handling practices.