sb-nz logo
Story image

Living off the land: How malware is on the verge of becoming fileless

20 Jul 2017

‘Living off the land’ may at first sound like farms and vegetable patches, but it is quickly gaining a new meaning for cyber attackers and security threats.

Already-installed tools, simple scripts and shellcode directly in memory are all an attacker needs to live off the land, meaning attacks create fewer new files on a hard drive or are completely fileless.

Dual-use tools such as PsExec; memory threats such as Code Red worm, fileless persistence (VBS) and non-PE file attacks such as macros or scripts all make up the four types of attacks.

According to Symantec, fewer files means bad news for tradition security detection tools, as they are less likely to block attacks.

The company says that the NotPetya ‘ransom’ outbreak is an example of how attackers used ‘living off the land’ techniques to target different parts of the world, as it used a compromised update of the accounting software platform Me.Doc.

It also used system commands as it infected computers; meaning it took advantage of account credential dumping protocols through Windows memory. Those credentials were then used to move the threat to various Admin shares on the network.

If it was lucky enough to access a remote system, it can execute remotely through PsExec and the Windows Management Instrumentation (WMI) command line tool.

That particular malware strain was able to hide its movements, delete system logs and create a scheduled task that makes the computer reboot with the modified master boot record, crippling the system.

Symantec says that malware and the WMI command line tool are no strangers: “Last year we observed an average of two percent of analysed malware samples making use of WMI for nefarious purpose, and the upward trend is clearly continuing.”

The company also says that attackers are making increased use of system tools not just for attacks, but for snooping. Threat groups such as Tick, Waterbug, Buckeye, Appleworm, Destroyer and Fritillary all use different system tools for reconnaissance and credential harvesting.

In particular, Fritillary uses PowerShell and Destroyer uses both Disk usage and event log viewer for monitoring purposes.

Symantec says that because email and infected websites are the most common ways to be infected by these types of malware, defences should focus on these key areas.

The company suggests that adopting best practices for network segregation, in-depth logging that includes system tools and an approach that doesn’t give all users advanced privileges should be the way forward for larger enterprises and networks.

Story image
Cyberattacks on healthcare organisations "out of control" - Check Point
There has been a 45% increase in cyberattacks on healthcare organisations worldwide in the last two months, making healthcare the most targeted industry by cyber criminals.More
Story image
Cybersecurity strategies must involve every part of the organisation - study
In the past year, a third of the breaches incorporated social engineering techniques and the cost of a breach caused by a human error averaged to $3.33 million. More
Story image
Top security threats for 2021
2021 will see several themes develop into full blown security threats, many of them borne from the struggles of pandemic-stricken 2020, writes Wontok head of technology Mick Esber.More
Story image
Online gaming a 'hotbed' for DDoS attacks — report
The latency and availability issues present in online gaming, in particular, presented an attractive target to attackers, in addition to the enduring popularity of gaming in the era of COVID-19.More
Story image
APAC secure content management market to hit $2.2 billion by 2024
The proliferation of cloud-based deployments will largely drive this, the report says, as the COVID-19 pandemic motivates more enterprises to move their workloads to the cloud and rely more on the internet. More
Story image
CompTIA forms Cybersecurity Advisory Council, led by 16 security execs
The new body will be co-chaired by Tech Data director of security solutions Tracy Holtz, and Alvaka Networks chief operating officer and chief information security officer Kevin McDonald.More