Sapsiwai - Fotolia
What tools were used to hide fileless malware in server memory?
Fileless malware hidden in server memory led to attacks on many companies worldwide. Expert Nick Lewis explains how these attacks fit in with the wider fileless malware trend.
More than 140 banks, government organizations and telecommunications companies worldwide have been attacked with "fileless malware" hidden in server memory. What tools and techniques were used to carry out these attacks? Are these similar to the fileless malware attacks you wrote about last year?
One of the key aspects of any attack is to get the target system to take certain actions or get access to data by executing code on the target system. One of the earliest attack methods to gain widespread attention in the information security community was remote code execution via a vulnerability in a service or process running as an administrative user. This would provide the initial access to a system so the next step in the attack could be taken, like installing a rootkit.
As enterprises began implementing security controls like firewalls and server software started getting more resistant to remote code execution vulnerabilities, attackers have adapted to continue to get access to systems and data. Many of the remote code execution exploits would rely on built-in executables in known locations to execute code on the target system. This is remarkably similar to how fileless attacks have developed, and the use of phishing has replaced remote code execution for many attacks. There, however, continue to be attacks using remote code execution.
An attack would not be able to be carried out without the ability to execute code on the endpoint, with the exception of physical attacks. Even ransomware requires executing malicious code on the endpoint. The strict definition of fileless malware has changed over time and, as I wrote last year, there has been a rise in fileless malware. Lenny Zeltser, vice president of products at Minerva Labs and senior instructor at the SANS Institute, wrote about the history of fileless malware attacks, addressing the rise in using this terminology and the fact that it is used to refer to various attack methods.
The attack Kaspersky Lab's Global Research and Analysis Team wrote about uses PowerShell and built-in Windows commands to download Metasploit and take control of the endpoint. The attack relies on insecure configurations of PowerShell that enable the endpoint to execute any PowerShell commands and store data in the registry; and it takes advantage of vulnerabilities on the endpoint, much like other fileless malware attacks. Enterprises should periodically check their servers' memory for any irregularities that may indicate a fileless malware attack.