Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Fileless Malware Attack. Show all posts

Novel Fileless Malware Uses Windows Registry as Storage to Bypass Detection

 

Cybersecurity researchers from Prevailion Adversarial Counterintelligence Team (PACT), have unearthed a new fileless malware dubbed DarkWatchman propagated via a social engineering campaign. 

The RAT is designed to completely bypass detection and analysis; thereby could easily be employed in ransomware operations. DarkWatchman uses a complex domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure and exploit the Windows Registry storage operations.

The malware "utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation," researchers Matt Stafford and Sherman Smith stated. 

“It represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools." 

According to the researchers, the RAT began its operations in November and exploited multiple known TLS certificates. Given its backdoor and persistence features, the researchers believe that DarkWatchman could be an 'initial access and reconnaissance tool' used by ransomware groups. 

Typically, ransomware operators need other attackers for managing the persistence and wide distribution of their programs. The use of fileless malware with such detection evading techniques helps the developers of the ransomware with better oversight over the operation beyond negotiating ransoms.

The novel RAT is both a fileless JavaScript RAT and a C#-based keylogger, the latter of which is stored in the registry to avoid detection. Both the components are also extremely lightweight. The malicious JavaScript code just takes about 32kb, while the keylogger barely registers at 8.5kb. 

"The storage of the binary in the registry as encoded text means that DarkWatchman is persistent yet its executable is never (permanently) written to disk; it also means that DarkWatchman's operators can update (or replace) the malware every time it's executed," the researchers said. 

Once installed, the malware can execute arbitrary binaries, load DLL files, run JavaScript code, and PowerShell commands, upload files to a remote server, update itself, and even uninstall the RAT and keylogger from the exploited device. The JavaScript routine is also responsible for establishing persistence by creating a scheduled task that runs the malware at every user log on. 

"It would appear that the authors of DarkWatchman identified and took advantage of the complexity and opacity of the Windows Registry to work underneath or around the detection threshold of security tools and analysts alike," the researchers concluded. "Registry changes are commonplace, and it can be difficult to identify which changes are anomalous or outside the scope of normal OS and software functions."

Fileless Malware Attacks and How To Fight Them!



It has been crystal clear over these years with the increase in a number of cyber-attacks of an equally unique kind making it almost impossible for the out-dated or conventional security mechanisms to intercept and fight.

As if a single one-of-a-kind cyber-attack tool wasn’t enough, the threat actors now are laden with polymorphic tactics up their sleeves. Per sources, an entirely new version of a threat could be created every time after infection.

After "polymorphism" became apparent, the vendors as per reports engineered “generic signatures” had numerous variants in them. But the cyber-cons always managed to slip in a new kind.

This is when the malware authors came up with a concept of fileless attacking. They fabricated malware that didn’t need files to infect their targets and yet caused equal damage.

Per sources, the most common fileless attacks use applications, software, or authorized protocol that already exists on the target device. The first step is a user-initiated action, followed by getting access to the target’s device memory which has been infected by now. Here the malicious code is injected via the exploitation of Windows tools like Windows Management Instrumentation and PowerShell.

Per reports, the Modus Operandi of a fileless attack is as follows:
It begins with a spam message which doesn’t look suspicious at all and when the unaware user clicks on the link in it they are redirected to a malicious website.
The website kicks-off the Adobe Flash.
That initiates the PowerShell and Flash employs the command line to send it instructions and this takes place inside the target device’s memory.
The instructions are such that one of them launches a connection with a command and control server and helps download the malicious PowerShell script which ferrets down sensitive data and information only to exfiltrate it later.
Researchers note that as these attacks have absolutely nothing to do with stocking malicious files onto the target’s device, it becomes more difficult for security products to anticipate or perceive any such attack because they are evidently left with nothing to compare the attacks with. The fact that files less malware can hide from view in the legitimate tools and applications makes it all the worse.

Recently lots of fileless attacks surfaced and researchers were elbow deep in analyzing them. According to sources, some well-known corporate names that faced the attacks include, Equifax that had a data breach via a command injection vulnerability, the Union Crypto Trader faced a remote code execution in the memory, the version used was a 'trojanized' form a legitimate installer file and the U.S. Democratic National Committee faced two threat actors used a PowerShell backdoor to automatically launch malicious codes.

These attacks are obviously disconcerting and require a different kind of approach for their prediction or prevention. A conventional security system would never be the solution corporates and organizations need to stand against such attacks.

Per sources, the Network Detection and Response (NDR) seem to be a lucrative mechanism for detecting uncommon malicious activities. It doesn’t simply count on signatures but uses a combination of machine learning tactics to fetch out irregular network behaviors. It perceives what is normal in a particular system, then tries to comprehend what isn’t normal and alerts the overseers.

Researchers think an efficient NDR solution takes note of the entire surrounding of a device including what is in the network, cloud deployments, in the IoT sections and not to mention the data storage and email servers.

Per sources, NDR gradually works up to its highest efficiency. Its and its sensors’ deployment takes a considerable amount of time and monitoring. But the final results encompass enhanced productivity, decreased false alerts, and heightened security.