Story image

Living off the land: How malware is on the verge of becoming fileless

20 Jul 17

‘Living off the land’ may at first sound like farms and vegetable patches, but it is quickly gaining a new meaning for cyber attackers and security threats.

Already-installed tools, simple scripts and shellcode directly in memory are all an attacker needs to live off the land, meaning attacks create fewer new files on a hard drive or are completely fileless.

Dual-use tools such as PsExec; memory threats such as Code Red worm, fileless persistence (VBS) and non-PE file attacks such as macros or scripts all make up the four types of attacks.

According to Symantec, fewer files means bad news for tradition security detection tools, as they are less likely to block attacks.

The company says that the NotPetya ‘ransom’ outbreak is an example of how attackers used ‘living off the land’ techniques to target different parts of the world, as it used a compromised update of the accounting software platform Me.Doc.

It also used system commands as it infected computers; meaning it took advantage of account credential dumping protocols through Windows memory. Those credentials were then used to move the threat to various Admin shares on the network.

If it was lucky enough to access a remote system, it can execute remotely through PsExec and the Windows Management Instrumentation (WMI) command line tool.

That particular malware strain was able to hide its movements, delete system logs and create a scheduled task that makes the computer reboot with the modified master boot record, crippling the system.

Symantec says that malware and the WMI command line tool are no strangers: “Last year we observed an average of two percent of analysed malware samples making use of WMI for nefarious purpose, and the upward trend is clearly continuing.”

The company also says that attackers are making increased use of system tools not just for attacks, but for snooping. Threat groups such as Tick, Waterbug, Buckeye, Appleworm, Destroyer and Fritillary all use different system tools for reconnaissance and credential harvesting.

In particular, Fritillary uses PowerShell and Destroyer uses both Disk usage and event log viewer for monitoring purposes.

Symantec says that because email and infected websites are the most common ways to be infected by these types of malware, defences should focus on these key areas.

The company suggests that adopting best practices for network segregation, in-depth logging that includes system tools and an approach that doesn’t give all users advanced privileges should be the way forward for larger enterprises and networks.

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.