Non-Malware Attacks: What They Are and How to Protect Against Them?


Non-malware attacks are on the rise. According to a study by the Ponemon Institute, 29 percent of the attacks organizations faced in 2017 were fileless. And in 2018, this number may increase up to 35 percent.

So, what are non-malware attacks, how do they differ from traditional threats, why are they so dangerous, and what can you do to prevent them? Keep reading and you’ll learn the answer to each of these questions.

Non-malware attacks: what are they?

Non-malware or fileless attack is a type of cyber attack in which the malicious code has no body in the file system. In contrast to the attacks carried out with the help of traditional malicious software, non-malware attacks don’t require installing any software on a victim’s machine. Basically, hackers have found a way to turn Windows against itself and carry out fileless attacks using built-in Windows tools.

The idea behind non-malware attacks is pretty simple: instead of dropping custom tools that could be flagged as malware, hackers use the tools that already exist on a device, take over a legitimate system process and run the malicious code in its memory space. This approach is also called “living off the land.”

This is how a non-malware attack usually happens:

  1. A user opens an infected email or visits an infected website
  2. An exploit kit scans the computer for vulnerabilities and uses them for inserting malicious code into one of Windows system administration tools
  3. Fileless malware runs its payload in an available DLL and starts the attack in the memory, hiding within a legitimate Windows process

Fileless malware can be downloaded from an infected website or email, introduced as malicious code from an infected application, or even distributed within a zero-day vulnerability.

Why are non-malware attacks so dangerous?

One of the main challenges posed by fileless malware is that it doesn’t use a traditional malware and, therefore, doesn’t have any signatures that an anti-malware software could use to detect it. Thus, detecting fileless attacks is extremely challenging.

To understand better why they pose so much danger, let’s take a look at some of the most recent examples of fileless attacks.

One of the first examples of fileless malware were Terminate-Stay-Resident (TSR) viruses. TSR viruses had a body from which they started, but once the malicious code was loaded to the memory, the executable file could be deleted.

Malware that uses vulnerabilities in such scripts as JavaScript or PowerShell is also considered to be fileless. Even the much-talked-of ransomware attacks WannaCry and NotPetya used fileless techniques as a part of their kill chains.

Another example of a non-malware attack is the UIWIX threat. Just like WannaCry and Petya, UIWIX uses the EternalBlue exploit. It doesn’t drop any files on the disk but instead enables the installation of the DoublePulsar backdoor that lives in the kernel’s memory.

How do non-malware attacks work?

Since non-malware attacks use default Windows tools, they manage to hide their malicious activity behind the legitimate Windows processes. As a result, they become nearly undetectable for most anti-malware products.

Main non-malware attack targets

The hackers need to obtain as many resources as possible while keeping their malicious activity undetected. This is why the majority of fileless attacks focuses on one of the two targets:

  • Windows Management Instrumentation (WMI)
  • PowerShell

Depending on their targets, fileless attacks may either run in RAM or exploit vulnerabilities in software scripts.

The attackers chose WMI and PowerShell for several reasons. First, both these tools are built into every modern version of Windows OS, making it easier for the hackers to spread their malicious code. Secondly, turning off any of these tools is not a good idea, since it’ll significantly limit what network administrators can do. Some experts, however, suggest disabling WMI and PowerShell anyway as a preventive measure against fileless attacks.

4 common types of non-malware attacks

There are many types and variations of fileless malware. Below, we listed the four most common ones:

  • Fileless persistence methods ― the malicious code continues to run even after the system reboot. For instance, malicious scripts may be stored in the Windows Registry and re-start the infection after a reboot.
  • Memory-only threats ― the attack executes its payload in the memory by exploiting vulnerabilities in Windows services. After a reboot, the infection disappears.
  • Dual-use tools ― the existing Windows system tools are used for malicious purposes.
  • Non-Portable Executable (PE) file attacks ― a type of dual-use tool attack that uses legitimate Windows tools and applications as well as such scripts as PowerShell, CScript or WScript.

Non-malware attack techniques

In order to perform a non-malware attack, hackers use different techniques. Here are the four most frequently used ones:

  • WMI persistence ― WMI repository is used for storing malicious scripts that can be periodically invoked via WMI bindings.
  • Script-based techniques ― hackers may use script files for embedding encoded shellcodes or binaries without creating any files on the disk. These scripts can be decrypted on the fly and executed via .NET objects.
  • Memory exploits ―fileless malware may be run remotely using memory exploits on a victim’s machine.
  • Reflective DLL injection ― malicious DLLs are loaded into a process’s memory manually, without the need to save these DLLs on the disk. The malicious DLL can be either embedded in infected macros or scripts, or hosted on a remote machine and delivered through a staged network channel.

Now, it’s time to talks about the ways you can protect your company against non-malware attacks.

5 ways of protection against non-malware attacks

Experts offer different ways of preventing and stopping fileless malware: from disabling the most vulnerable Windows tools to using next-generation anti-malware solutions. The following five suggestions may be helpful in protecting your company network against non-malware attacks.

  1. Restrict unnecessary management frameworks. The majority of non-malware threats is based on the vulnerabilities found in the management frameworks like PowerShell or WMI. The attackers use these frameworks to secretly execute commands on a victim’s machine while the infection lives in its memory. Thus it would be better to disable these tools wherever it’s possible.
  2. Disable macros. Disabling macros altogether prevents unsecure and untrusted code from running on your system. If using macros is a requirement for your enterprise’s end users, you can digitally sign trusted macros and restrict the usage of any other types of macros.
  3. Monitor unauthorized traffic. By constantly monitoring the security appliance logs from different devices, you can detect unauthorized traffic in your company’s network. It would also be helpful to record a set of baselines to understand better the network operating flow and be able to detect any anomalies, such as devices communicating with unauthorized remote devices or transmitting inordinate amounts of data.
  4. Use next-generation endpoint security solutions. In contrast to traditional anti-malware software, some endpoint solutions have a heuristics component able to perform basic system behavior analysis. Since certain types of malware have a specific set of common behavioral characteristics, heuristics-based methods can halt some activities that look like behavior-based threats, thus stopping a possible attack from delivering its full payload. In case of false positive, end users may manually authorize the process to continue.
  5. Keep all the devices updated. Patch management plays a significant role in securing your system and preventing possible breaches. By delivering the latest patches timely, you can effectively increase the level of your system’s protection against non-malware attacks.

Fileless attacks are on the rise mostly because they are so difficult to detect by standard anti-malware solutions. And while effectively detecting non-malware threats remains a challenge, these tips may help you prevent possible attacks from happening.

About the author: Marcell Gogan is a specialist within digital security solution business design and development, virtualization and cloud computing R&D projects, establishment and management of software research direction. He also loves writing about data management and cyber security.

Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "https://ift.tt/2FjHHhN"

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more