Stealthy Malware Is Going Mainstream

Typical anti-malware software scans hard drives in search of malicious files and then flags them for removal.That strategy breaks down, though, when there’s no file to find on the system in the first place. And that’s exactly how an increasingly popular type of attack has stymied the defenses of dozens of banks around the world.

So-called fileless malware avoids detection by hiding its payload in secluded spots, like a computer’s random-access memory or kernel, meaning it doesn’t depend on hard drive files to run.

The technique first surfaced a couple of years ago, as part of a sophisticated nation-state reconnaissance attack, but has experienced a recent surge in cyber-attacks.

It’s also not just hitting high-priority targets; research released by Kaspersky Lab recently found that fileless malware infected more than 140 financial institutions, government organisations, and telecom companies across 40 countries.

Kaspersky itself may not have found it had a bank not come to the security firm after discovering malware running in secret in the memory of one of its domain controllers (a server on a Windows network that handles security authentication queries).

The attack was recording system administrator credentials so the hackers could move deeper into the network, gather more privileged credentials, and eventually withdraw money from ATMs.

What makes the attack so insidious is that it inhabits parts of the computer architecture that are difficult for normal users to even navigate to and access, much less interact with. While it’s possible to eliminate the threat, many organizations aren’t even focused on spotting it in the first place yet.

That’s unfortunate, because it’s also seen a dramatic spike in popularity. In a December report, the endpoint security firm Carbon Black found that the rate of fileless malware attacks among its customers had jumped from three percent of the company’s total malware detections at the beginning of 2016 to 13 percent in November.

“I would say this is becoming more of a checkbox for attackers’ toolkits,” says Greg Linares, a security researcher who specialises in threat intelligence and reverse engineering.

Just one example: Hackers can use administrative operating system tools, like the Windows PowerShell framework, to covertly deposit the malware into a computer’s RAM. More than 70 percent of the infections Kaspersky detected utilized malicious PowerShell scripts.

With increased use comes increased awareness, though, awareness should hopefully spur companies to take preemptive measures. “Security teams could monitor for the unexpected creation of services on their systems, watch for unexpected tunneling traffic within their network, attempt to observe outbound traffic, and disable the use of PowerShell on their networks if it is unused,”

Kurt Baumgartner, a principal security researcher at Kaspersky Lab. It helps to watch activity coming into and out of a network instead of just checking the files stored on it. He emphasises, though, that even as threats evolve, it’s still crucial to take foundational security precautions, like splitting different portions of a network into subnetworks that are more efficient and easier to defend.

Between fileless malware and the increasing popularity of ransomware it feels like malware has morphed into a new phase. (There’s even fileless ransomware.) That’s not cause for despair, though; it’s just all the more reason to keep up with the evolving landscape, and not rely on outdated tools. And now, looking for intruders where you least expect them.

Wired

New Malware Hides In Memory:

Malware Traders Switch To Less Suspicious File Types:

Banks Around The World Hit With Fileless Malware:

 

 

« Data Breaches Attack All Parts Of A Business
Wikipedia's editors cut out the Daily Mail »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Rackspace Technology

Rackspace Technology

Rackspace Technology is a leading provider of managed services across all major public and private cloud technologies. Secure your IT environments with powerful cloud security solutions and support.

Cyber Security Network

Cyber Security Network

Cyber Security Network provide specialist cyber security recruitment services.

Swedish Civil Contingencies Agency (MSB)

Swedish Civil Contingencies Agency (MSB)

MSB's Information Assurance Department is responsible for supporting and coordinating work relating to Sweden's national societal information security.

Trinexia

Trinexia

Trinexia (formerly Credence Security) is a specialty Value-added Distributor of Cyber Security, Digital Forensics, Security Awareness, Data Security & Governance solutions.

Sabasai

Sabasai

Sabasai specialises in all aspects of insider threat management from training and education to building security frameworks and insider threat programs to on-site risk & vulnerability assessments.

Havelsan

Havelsan

HAVELSAN is a leading technology company in Turkey developing indigenous systems for domestic and foreign military, public and private sector clients.

Crypto Valley Association

Crypto Valley Association

Crypto Valley Association is an independent, government-supported association established to build the world’s leading blockchain and cryptographic technologies ecosystem.

Civic Technologies

Civic Technologies

Civic’s Secure Identity Platform (SIP) uses a verified identity for multi-factor authentication on web and mobile apps without the need for usernames or passwords.

Canopius Group

Canopius Group

Canopius is a global specialty lines insurance and reinsurance company and one of the top 10 insurers in the Lloyd’s insurance market.

Digital Beachhead

Digital Beachhead

Digital Beachhead has the expertise to provide a range of Cyber Risk Management and other Professional Services with specifically tailored solutions at competitive prices.

R-Tech

R-Tech

R-Tech GmbH manages the digital start-up initiative, whose goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

Sikich

Sikich

Sikich LLP is a leading professional services firm specializing in accounting, advisory, technology and managed services.

Pathway Communications

Pathway Communications

Established in 1995, Pathway Communications – is part of the Pathway Group of Companies, a Canadian IT Managed Services organization.

Questex Asia Total Security Conference

Questex Asia Total Security Conference

Questex Asia’s Total Security Conferences is one of the industry’s most prestigious and engaging forums for the region's top information security leaders and business decision-makers.

BuddoBot

BuddoBot

BuddoBot has been a pioneering force in cybersecurity and information technology since 2008.

Yondu

Yondu

Yondu empowers businesses across various industries through a wide array of innovative technology solutions to help them scale in the new digital economy.