SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Cybersecurity
#
Malware
#
Fileless malware
Living off the land: How malware is on the verge of becoming fileless
Thu, 20th Jul 2017
FYI, this story is more than a year old
Author image
By Sara Barker, Copywriter and Senior News Editor
Follow us

‘Living off the land' may at first sound like farms and vegetable patches, but it is quickly gaining a new meaning for cyber attackers and security threats.

Already-installed tools, simple scripts and shellcode directly in memory are all an attacker needs to live off the land, meaning attacks create fewer new files on a hard drive or are completely fileless.

Dual-use tools such as PsExec; memory threats such as Code Red worm, fileless persistence (VBS) and non-PE file attacks such as macros or scripts all make up the four types of attacks.

According to Symantec, fewer files means bad news for tradition security detection tools, as they are less likely to block attacks.

The company says that the NotPetya ‘ransom' outbreak is an example of how attackers used ‘living off the land' techniques to target different parts of the world, as it used a compromised update of the accounting software platform Me.Doc.

It also used system commands as it infected computers; meaning it took advantage of account credential dumping protocols through Windows memory. Those credentials were then used to move the threat to various Admin shares on the network.

If it was lucky enough to access a remote system, it can execute remotely through PsExec and the Windows Management Instrumentation (WMI) command line tool.

That particular malware strain was able to hide its movements, delete system logs and create a scheduled task that makes the computer reboot with the modified master boot record, crippling the system.

Symantec says that malware and the WMI command line tool are no strangers: “Last year we observed an average of two percent of analysed malware samples making use of WMI for nefarious purpose, and the upward trend is clearly continuing.

The company also says that attackers are making increased use of system tools not just for attacks, but for snooping. Threat groups such as Tick, Waterbug, Buckeye, Appleworm, Destroyer and Fritillary all use different system tools for reconnaissance and credential harvesting.

In particular, Fritillary uses PowerShell and Destroyer uses both Disk usage and event log viewer for monitoring purposes.

Symantec says that because email and infected websites are the most common ways to be infected by these types of malware, defences should focus on these key areas.

The company suggests that adopting best practices for network segregation, in-depth logging that includes system tools and an approach that doesn't give all users advanced privileges should be the way forward for larger enterprises and networks.

Related stories
MotivationWorks upgrades cybersecurity with Radware
Absolute Security focuses on cyber resilience in company rebrand
Armis acquires Silk Security for a total of $150M
Most enterprise PCs ill-equipped for AI-induced security threats
Three ways employees can spot a deepfake scam
Top stories
How attackers target security blind spots: Three real-life lessons from the SOC
Bugcrowd launches AI bias assessment for secure LLM application use
Kaspersky illuminates LockBit ransomware group's advanced tactics
First-party data collection prioritised due to privacy laws
Cisco boosts Secure Application with added data, cloud security features