Living off the land: How malware is on the verge of becoming fileless
‘Living off the land’ may at first sound like farms and vegetable patches, but it is quickly gaining a new meaning for cyber attackers and security threats.
Already-installed tools, simple scripts and shellcode directly in memory are all an attacker needs to live off the land, meaning attacks create fewer new files on a hard drive or are completely fileless.
Dual-use tools such as PsExec; memory threats such as Code Red worm, fileless persistence (VBS) and non-PE file attacks such as macros or scripts all make up the four types of attacks.
According to Symantec, fewer files means bad news for tradition security detection tools, as they are less likely to block attacks.
The company says that the NotPetya ‘ransom’ outbreak is an example of how attackers used ‘living off the land’ techniques to target different parts of the world, as it used a compromised update of the accounting software platform Me.Doc.
It also used system commands as it infected computers; meaning it took advantage of account credential dumping protocols through Windows memory. Those credentials were then used to move the threat to various Admin shares on the network.
If it was lucky enough to access a remote system, it can execute remotely through PsExec and the Windows Management Instrumentation (WMI) command line tool.
That particular malware strain was able to hide its movements, delete system logs and create a scheduled task that makes the computer reboot with the modified master boot record, crippling the system.
Symantec says that malware and the WMI command line tool are no strangers: “Last year we observed an average of two percent of analysed malware samples making use of WMI for nefarious purpose, and the upward trend is clearly continuing.”
The company also says that attackers are making increased use of system tools not just for attacks, but for snooping. Threat groups such as Tick, Waterbug, Buckeye, Appleworm, Destroyer and Fritillary all use different system tools for reconnaissance and credential harvesting.
In particular, Fritillary uses PowerShell and Destroyer uses both Disk usage and event log viewer for monitoring purposes.
Symantec says that because email and infected websites are the most common ways to be infected by these types of malware, defences should focus on these key areas.
The company suggests that adopting best practices for network segregation, in-depth logging that includes system tools and an approach that doesn’t give all users advanced privileges should be the way forward for larger enterprises and networks.