Category Archives: fileless malware

Informing Your Security Posture: How Cybercriminals Blend into the Background

Maintaining protection over an enterprise’s critical data, systems and assets is a continual uphill battle. Not only are chances good that the business’s digital footprint is growing through new applications, but hackers are also constantly bolstering their capabilities to silently breach platforms and maintain a presence under the radar of the IT team.

In the past, hackers have utilized all types of tactics to cover their tracks and enable them to remain within legitimate systems and steal data for more extended periods of time. And, according to a new report from Trend Micro researchers, these tactics are only growing more sophisticated, advanced and dangerous.

One of the best ways to improve the company’s security posture is to inform proactive protection by learning about the enemy. Today, we’re taking a look at the different techniques cybercriminals use to blend in and prevent detection. With this knowledge, IT teams can keep a more watchful eye out for the types of activity that can point to a malicious breach.

How do hackers cover their tracks?

Just as hunters work hard to remain hidden from their prey, so too do hackers do everything in their power to avoid detection by human users and network- and application-level security solutions.

As Trend Micro researchers explained in the recent report, “Mapping the Future: Dealing with Pervasive and Persistent Threats,” the practice of blending into legitimate traffic within enterprise systems will only become more prevalent and threatening.

“In response to security vendor technologies, specifically the renewed interest in machine learning for cybersecurity, cybercriminals will use more malicious tactics to ‘blend in,” researchers noted in the report. “New ways of using normal computing objects for purposes other than their intended use or design – a practice known as ‘living off the land’ – will continue to be discovered, documented and shared.”

So far, researchers have observed the rising use of a few key strategies in the current threat landscape, including:

  • Masking activity with unconventional file extensions. Much of today’s malicious code is no longer being delivered through the traditional executable file, as users have been trained to be suspicious of these types of programs. Now, hackers are packaging their malicious code in less recognizable formats, using extensions like .URL, .IQY, .PUB and .WIZ. This makes it easier for hackers to trick users into opening malicious files and launching a successful infection.
  • Minimal modification. Hackers quickly catch on to the types of activity that users and security programs classify as suspicious, including the modification of legitimate files to spur a breach an infection. In response, cybercriminals are scaling back on their modifications and only changing the bare minimum in order to leverage a legitimate file or system as a launch pad for their attack.
  • New activation methods. In addition, cyberattakers are also switching up their malware activation strategies, using techniques like Mshta, Rundll32, Regasm, Regsvr32 and more.
  • Digitally signed malware. As Trend Micro researchers noted in the report, digitally signed malware is already a pervasive approach used by hackers, and will only continue to pose a significant threat. This technique is highly effective. It enables hackers to make their well-hidden malware even more legitimate-appearing thanks to a digitally signed certificate that enables the bypass of security platforms.

“Hackers use compromised code signing certificates associated with trusted software vendors in order to sign their malicious code, reducing the possibility of their malware being detected on targeted enterprise networks and consumer devices,” The Hacker News contributor Swati Khandelwal explained.

Fileless malware

In addition to the above-described tricky strategies, hackers are also increasing their use of fileless malware, which can improve hackers’ chances of flying under the radar of traditional file scanning solutions. As noted in this Trend Micro Simply Security blog, fileless malware seeks to take advantage of software or system vulnerabilities while preventing attackers from catching the attention of users or raising security notifications.

One example of this type of advanced threat exploits the PowerShell utility, or other Microsoft Word macros to execute a hidden command against the victim system. These commands can change depending on the hacker’s goal or the length of time they’re attempting to remain within the breached system.

“Current security solutions detect an intrusion [using] a signature based on the malware file’s characteristics,” Trend Micro researchers explained. “However, because fileless malware doesn’t have a payload file to infect a system, security applications don’t know what to look for.”

This makes fileless malware samples particularly dangerous and especially difficult – but not impossible – to detect.

Hidden tunnels

In a report for The Wall Street Journal, contributor Adam Janofsky described the rising use of so-called “hidden tunnels,” which allow hackers to ride the coattails of legitimate business application traffic and protocols to make off with stolen data. Currently, this threat presents the most risk for financial organizations, where hackers can utilize tunnels to sneak past access control protections and intrusion detection solutions. However, the use of hidden tunnels can pose a threat to businesses in any industry.

“These tunnels work by blending in with legitimate applications that connect a company’s network to outside systems, such as third-party analytics tools, cloud-based financial applications and stock ticker feeds,” Janofsky wrote.

Once hackers enter a system, they can then steal considerable amounts of sensitive data and intellectual property, using additional tactics to cover their tracks. As opposed to stealing large files, hackers will break information down into smaller chunks that are less likely to set off alarms within an enterprise’s security solutions.

According to a report from Ventra Networks Inc., there are more hidden tunnels than one might expect. Researchers found that within the financial sector alone, approximately 23 tunnels, disguised through encryption, exist for every 10,000 devices. In other industries, there are only about 11 tunnels for every 10,000 devices.

Avoiding detection to ramp up data theft and damage

One of the biggest motivations for avoiding detection using these types of cybercriminal tactics is to support a longer and more drawn-out data breach. As Janofsky explained, such was the case with the Equifax Inc. breach – hackers purposely avoided using specific tools and tactics which would draw the attention of internal security stakeholders and protection programs. This enabled attackers to remain within the company’s systems for over four months.

Hackers’ ability to cover their tracks poses a significant threat to organizations in every industry. The ideal response to this level of threat environment is to work proactively, become aware and educated about the strategies hackers leverage, and look to guard against these activities specifically.

To find out more about informing your security posture with the latest security strategies, connect with the experts at Trend Micro today.

The post Informing Your Security Posture: How Cybercriminals Blend into the Background appeared first on .

DarkVishnya: Banks attacked through direct connection to local network

While novice attackers, imitating the protagonists of the U.S. drama Mr. Robot, leave USB flash drives lying around parking lots in the hope that an employee from the target company picks one up and plugs it in at the workplace, more experienced cybercriminals prefer not to rely on chance. In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

High-tech tables with sockets are great for planting hidden devices

High-tech tables with sockets are great for planting hidden devices

The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:

  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks

Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.

At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines. To overcome the firewall restrictions, they planted shellcodes with local TCP servers. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels.

Having succeeded, the cybercriminals proceeded to stage three. Here they logged into the target system and used remote access software to retain access. Next, malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies. If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe to run executable files remotely.

Verdicts

not-a-virus.RemoteAdmin.Win32.DameWare
MEM:Trojan.Win32.Cometer
MEM:Trojan.Win32.Metasploit
Trojan.Multi.GenAutorunReg
HEUR:Trojan.Multi.Powecod
HEUR:Trojan.Win32.Betabanker.gen
not-a-virus:RemoteAdmin.Win64.WinExe
Trojan.Win32.Powershell
PDM:Trojan.Win32.CmdServ
Trojan.Win32.Agent.smbe
HEUR:Trojan.Multi.Powesta.b
HEUR:Trojan.Multi.Runner.j
not-a-virus.RemoteAdmin.Win32.PsExec

Shellcode listeners

tcp://0.0.0.0:5190
tcp://0.0.0.0:7900

Shellcode connects

tcp://10.**.*.***:4444
tcp://10.**.*.**:4445
tcp://10.**.*.**:31337

Shellcode pipes

\\.\xport
\\.\s-pipe