Now I see you: detecting fileless malware
Attackers are determined to use increasingly sophisticated methods to circumvent protection. Using fileless malware increases stealth and attack efficiency. Last year, fileless methods were used in two large-scale campaigns to ransomware ( Petya and WannaCry ).
At the core of fileless attacks is a simple idea: if there are already tools on the device that can perform the tasks of an attacker (for example, PowerShell.exe or wmic.exe), then why place special programs on it that can be recognized as malicious? If an attacker can intercept control of the process, it will be more difficult to detect the attack in the memory space of such a process and use it to call the tools that already exist on the device.
Successful application of this approach using local resources is a complex task. Among other things, attackers need to solve the persistence problem. When you turn off the power, the information in memory is not saved, and if the files are not recorded on the disk, the attackers have a question: how to ensure the autorun of their code and maintain control over the compromised system after the reboot?
')
In April 2016, a client was turned into cyber abuse by a Microsoft incident response team. The attackers demanded a significant amount from him for not publishing confidential corporate information stolen from compromised client computers. At the same time, they threatened to “crush” his network if the client turns to law enforcement agencies. The situation was difficult.
Also, Microsoft researchers have learned that attackers twice tried to encrypt files using an ransomware program. Fortunately, these attempts failed. As it turned out, the threat to destroy the network was a “plan B” to extract profits from an attack in case “plan A” did not work.
Moreover, the researchers also found that the attackers had been secretly present on the network for at least seven months, using two different channels.
Misfox did not place executable files on the computer, but the script recorded in the registry ensured persistence of the malicious program.
Misfox is an example of how fileless components can be embedded in a sequence of cyber attacks. Attackers use different fileless methods that make it difficult to detect malicious implants. Among them:
Microsoft 365 includes a new generation of security technologies to protect devices, SaaS applications, email and infrastructure from a wide range of attacks. The following are components of Microsoft 365 related to Windows that allow you to detect fileless attacks and prevent infection.
Windows Defender Antivirus (WDAV) blocks the vast majority of malware using common, heuristic and behavioral detection methods, using both local and cloud machine learning models. Windows Defender Antivirus provides protection against malware due to the following features:
Windows Defender Exploit Guard (WDEG) is a new set of functions to protect against intrusion at the host level, which helps to reduce the vulnerable zone by blocking a wide range of attack vectors on the device. To stop fileless attacks, use the following methods:
Windows Defender Application Control (WDAC) offers a mechanism for implementing strict code integrity policies and allows only trusted applications to run. To combat fileless attacks, this component puts PowerShell into restricted language mode , which prevents you from using advanced language tools that can run code that cannot be checked — for example, direct .NET scripts, Win32 API call through Add-Type cmdlet, and interaction with COM -objects. This effectively prevents attacks with reflexive DLL injection through PowerShell.
Windows Defender Advanced Threat Protection (WDATP) is an integrated platform for desktop endpoint protection (EPP) and endpoint detection and endpoint detection (EDR). If the security of the system is already compromised, ATP notifies users of the company about sophisticated attacks of increased complexity on devices and corporate networks, which could not be prevented with the help of other preventive remedies. To detect such attacks, the service uses detailed data from global security systems, advanced behavioral analysis and machine learning. It allows you to detect fileless malware in several ways:
According to NSS Labs , an independent security expert, Microsoft Edge browser blocks more phishing sites and malware using social engineering techniques than other browsers. Microsoft Edge counteracts fileless attacks with anti-arbitrary code protection features that block the execution of arbitrary code, including malicious DLLs. This helps avoid attacks with reflexive DLL injection. In addition, Microsoft Edge provides a wide range of protection against fileless and other threats through the integration of Windows Defender Application Guard and Windows Defender SmartScreen technology.
Zaid Arafeh
Senior Program Manager, Windows Defender Research Team
Original source
At the core of fileless attacks is a simple idea: if there are already tools on the device that can perform the tasks of an attacker (for example, PowerShell.exe or wmic.exe), then why place special programs on it that can be recognized as malicious? If an attacker can intercept control of the process, it will be more difficult to detect the attack in the memory space of such a process and use it to call the tools that already exist on the device.
Successful application of this approach using local resources is a complex task. Among other things, attackers need to solve the persistence problem. When you turn off the power, the information in memory is not saved, and if the files are not recorded on the disk, the attackers have a question: how to ensure the autorun of their code and maintain control over the compromised system after the reboot?
')
Misfox: Fileless Network Threats
In April 2016, a client was turned into cyber abuse by a Microsoft incident response team. The attackers demanded a significant amount from him for not publishing confidential corporate information stolen from compromised client computers. At the same time, they threatened to “crush” his network if the client turns to law enforcement agencies. The situation was difficult.
referenceThe Microsoft incident response team investigated the computers on the network, discovered target implants, and analyzed the degree of compromise. The client used a well-known third-party anti-virus product that was installed on most computers. Despite the update with the latest signatures, the antivirus did not detect any of the target implants.
The number of detections of Misfox by means of Windows Defender Antivirus in the second quarter of 2017, compared with the first quarter of the same year, more than doubled.
Also, Microsoft researchers have learned that attackers twice tried to encrypt files using an ransomware program. Fortunately, these attempts failed. As it turned out, the threat to destroy the network was a “plan B” to extract profits from an attack in case “plan A” did not work.
Moreover, the researchers also found that the attackers had been secretly present on the network for at least seven months, using two different channels.
- The first of these channels included a backdoor called Swrort.A , which was deployed on several computers. This backdoor was easily detected by the antivirus.
- The second channel was much more sophisticated and interesting:
- He did not infect files on the device.
- He did not leave artifacts on the disk.
- It could not be detected using the usual file checking methods.
Is it time to turn off PowerShell?The second tool was a fileless malware called Misfox . When running in memory, Misfox did the following:
Not. PowerShell is a powerful and secure tool that is important to many system and IT infrastructure functions. Malicious PowerShell scripts used by hackers are a consequence of the introduction of malicious programs and can only be implemented after the initial compromise. Malicious use of PowerShell is a symptom of an attack that began with other malicious actions, such as exploiting software vulnerabilities, using social engineering techniques or stealing credentials. Therefore, we must not allow attackers to use PowerShell for their own purposes. How to provide such protection, read on.
- Created the registry key that ran the single-line PowerShell cmdlet.
- Launched a disguised PowerShell script stored in the blob registry. This masked PowerShell script contained a portable executable file (PE) loader that loaded a PE file from the registry, encoded using the Base64 algorithm.
Misfox did not place executable files on the computer, but the script recorded in the registry ensured persistence of the malicious program.
Fileless Methods
Misfox is an example of how fileless components can be embedded in a sequence of cyber attacks. Attackers use different fileless methods that make it difficult to detect malicious implants. Among them:
- Reflexive DLL Injection
Reflexive injection of DLLs allows loading DLLs into the process memory without saving them on a local disk. A malicious DLL can be located on a remote computer controlled by an attacker and delivered via a compromised network channel (for example, via TLS). It can also be implemented in disguised form, for example, through macros and scripts. As a result, attackers manage to bypass the monitoring and tracking tools for loading executables in the operating system. An example of malware using reflective DLL injection is HackTool: Win32 / Mikatz! Dha . - Memory exploits
Attackers use fileless exploits in memory to remotely launch arbitrary code on affected computers. For example, the threat of UIWIX uses the EternalBlue exploit that was involved in Petya and WannaCry. According to observations, he installed the DoublePulsar backdoor, which completely fits in the kernel memory (SMB Send Table). Unlike Petya and Wannacry, UIWIX does not allocate files to disk. - Script based methods
Scripting languages ​​offer efficient means for delivering a fully executable payload. Script files can embed encrypted shellcodes or binary objects, which can be decrypted without writing to disk during execution via .NET objects or directly using the API. The scripts themselves can be hidden in the registry (as in the case of Misfox). They can be read from network streams or launched by an attacker manually using the command line without accessing the disk. - Save to WMI
In a number of observed cases, attackers used the Windows Management Instrumentation (WMI) repository to save malicious scripts, which were then periodically invoked via WMI bindings. Expanded examples of the use of such technology are given in this article [PDF].
Ways to protect against fileless malware in Microsoft 365
Microsoft 365 includes a new generation of security technologies to protect devices, SaaS applications, email and infrastructure from a wide range of attacks. The following are components of Microsoft 365 related to Windows that allow you to detect fileless attacks and prevent infection.
The board
Along with special means of protection against fileless attacks, Windows 10 includes other security technologies of the new generation to counter attacks in general. For example, Windows Defender Application Guard allows you to stop the download and launch of malicious programs (both fileless and others) through Microsoft Edge and Internet Explorer. You can read more about the Microsoft 365 security and management features in the Windows 10 Fall Creators Update here .
Windows Defender Antivirus
Windows Defender Antivirus (WDAV) blocks the vast majority of malware using common, heuristic and behavioral detection methods, using both local and cloud machine learning models. Windows Defender Antivirus provides protection against malware due to the following features:
- Detection of attacks using scripts using the AMSI antimalware scan interface , which allows you to check PowerShell scripts and other types even with multiple masking levels.
- Detection and removal of malware attempting to persist through WMI by scanning the WMI repository — both intermittently and when registering anomalous behavior.
- Detection of reflexive DLL injection using advanced memory checking and behavior monitoring methods.
Windows Defender Exploit Guard
Windows Defender Exploit Guard (WDEG) is a new set of functions to protect against intrusion at the host level, which helps to reduce the vulnerable zone by blocking a wide range of attack vectors on the device. To stop fileless attacks, use the following methods:
- Protection against memory core exploits, such as EternalBlue, with the help of the Hypervisor Code Integrity Service (HVCI), which with high efficiency prevents the introduction of malicious code through vulnerabilities of software running in kernel mode
- Preventing memory exploits in user mode using an exploit protection module that includes a number of exploit prevention tools used at the operating system level or at the level of individual applications
- Protecting (among other things) against various fileless attacks that use scripts, through the rules of reducing the vulnerable zone (ASR) , which block certain application behavior
The board
In addition to technical controls, effective administrative control of staff and processes is also important. To use fileless techniques on a remote computer using PowerShell scripts and WMI tools, an attacker needs privileged access to such a computer. Such access can be obtained if insufficiently secure administration methods are used (for example, configuring the execution of a Windows service in the context of a domain administrator account), which can steal credentials. Read more about securing privileged access here .
Windows Defender Application Control
Windows Defender Application Control (WDAC) offers a mechanism for implementing strict code integrity policies and allows only trusted applications to run. To combat fileless attacks, this component puts PowerShell into restricted language mode , which prevents you from using advanced language tools that can run code that cannot be checked — for example, direct .NET scripts, Win32 API call through Add-Type cmdlet, and interaction with COM -objects. This effectively prevents attacks with reflexive DLL injection through PowerShell.
Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (WDATP) is an integrated platform for desktop endpoint protection (EPP) and endpoint detection and endpoint detection (EDR). If the security of the system is already compromised, ATP notifies users of the company about sophisticated attacks of increased complexity on devices and corporate networks, which could not be prevented with the help of other preventive remedies. To detect such attacks, the service uses detailed data from global security systems, advanced behavioral analysis and machine learning. It allows you to detect fileless malware in several ways:
- Detection with the help of special tools that register the anomalous memory allocation of hidden attacks using such fileless methods as reflexive use of DLLs .
- Detecting script-free fileless attacks using the AMSI antimalware scan interface , which checks when running PowerShell and other components using scripts, and using machine-learning models.
Microsoft Edge Browser
According to NSS Labs , an independent security expert, Microsoft Edge browser blocks more phishing sites and malware using social engineering techniques than other browsers. Microsoft Edge counteracts fileless attacks with anti-arbitrary code protection features that block the execution of arbitrary code, including malicious DLLs. This helps avoid attacks with reflexive DLL injection. In addition, Microsoft Edge provides a wide range of protection against fileless and other threats through the integration of Windows Defender Application Guard and Windows Defender SmartScreen technology.
Zaid Arafeh
Senior Program Manager, Windows Defender Research Team
Original source
Source: https://habr.com/ru/post/352376/
All Articles