Now I see you: file-free malware detection

    Attackers are committed to using increasingly sophisticated methods to circumvent security features. The use of file-free malware increases the invisibility and effectiveness of the attack. Last year, file-free methods were used during two large-scale ransomware distribution campaigns ( Petya and WannaCry ).

    Fileless attacks are based on a simple idea: if the device already has tools that can perform malicious tasks (for example, PowerShell.exe or wmic.exe), then why put special programs on it that can be recognized as malicious? If an attacker can take control of a process, run his code in the memory space of such a process and use it to call funds that are already on the device, it will be more difficult to detect an attack.

    Successfully applying this approach using local resources is a complex task. Among other things, attackers need to solve the persistence problem. When the power is turned off, the information is not stored in memory, and if the files are not written to disk, the attackers are faced with the question: how to ensure autorun of their code and maintain control over a compromised system after a reboot?

    Misfox: fileless threat to networks

    In April 2016, a client contacted the Microsoft Incident Response Team regarding cyber-extortion. Attackers demanded a significant amount from him for not publishing confidential corporate information stolen from compromised client computers. At the same time, they threatened to “crush” his network if the client turned to law enforcement agencies. The situation was complicated.
    Help The
    number of Misfox detections by Windows Defender Antivirus in the second quarter of 2017 compared to the first quarter of the same year more than doubled.
    The Microsoft Incident Response Team examined computers on the network, found targeted implants, and analyzed the degree of compromise. The client used a well-known third-party antivirus product that was installed on most computers. Despite the update with the latest signatures, the antivirus did not detect any of the target implants.

    Also, Microsoft researchers found out that attackers twice tried to encrypt files using a ransomware program. Fortunately, these attempts failed. As it turned out, the threat of destroying the network was a “plan B” for profit from the attack in case “plan A” does not work.

    Moreover, the researchers also found that the attackers had been secretly present on the network for at least seven months using two different channels.

    • The first of these channels included a backdoor called Swrort.A , which was deployed on several computers. This backdoor was easily detected by antivirus.
    • The second channel turned out to be much more refined and interesting:
      • It did not infect files on the device.
      • He did not leave artifacts on the disk.
      • It could not be detected using conventional file verification methods.
    Is it time to turn off PowerShell?
    Not. PowerShell is a powerful and secure tool that is critical to many system and IT infrastructure functions. The malicious PowerShell scripts used by cybercriminals are a consequence of the introduction of malicious programs and can only be implemented after the initial compromise. Malicious use of PowerShell is a symptom of an attack that began with other malicious activities, such as exploiting software vulnerabilities, using social engineering methods, or stealing credentials. Therefore, you must not allow attackers to use PowerShell for their own purposes. Read how to provide this protection.
    The second tool was a file-free malware called Misfox . When executed in memory, Misfox did the following:

    • Created a registry key that ran the single-line PowerShell cmdlet.
    • Runs a disguised PowerShell script stored in a registry of blobs. This disguised PowerShell script contained a portable executable (PE) bootloader that loaded a PE64 encoded Base64 file from the registry.

    Misfox did not place executable files on the computer, however, the script recorded in the registry ensured that the malware was preserved.

    Fileless Methods

    Misfox is an example of how fileless components can be embedded in a sequence of cyber attack stages. Attackers use different file-free methods that make it difficult to detect malicious implants. Among them:

    1. Reflective implementation of DLLs
      Reflective implementation of DLLs allows loading DLLs into process memory without saving them to a local disk. A malicious DLL can be located on a remote computer controlled by an attacker and delivered via a compromised network channel (for example, via the TLS protocol). It can also be implemented in disguised form, for example, through macros and scripts. As a result, attackers manage to bypass the monitoring and tracking tools for loading executable modules in the operating system. An example of malware using the reflexive injection of DLLs is HackTool: Win32 / Mikatz! Dha .
    2. Exploits in memory
      Attackers use fileless exploits in memory to remotely run arbitrary code on infected computers. For example, the UIWIX threat uses the EternalBlue exploit, which was used by Petya and WannaCry. According to observations, he installed the DoublePulsar backdoor, which completely fits in the kernel memory (SMB send table). Unlike Petya and Wannacry, UIWIX does not place files on disk.
    3. Script-Based Methods Scripting
      languages ​​offer powerful tools for delivering fully in-memory payloads. Script files can embed encrypted shell codes or binary objects, which can be decrypted without writing to disk during execution through .NET objects or directly using the API. The scripts themselves can be hidden in the registry (as in the case of Misfox). They can be read from network streams or launched manually by an attacker using the command line without accessing the disk.
    4. Saving to WMI
      In a number of cases, attackers used the Windows Management Instrumentation (WMI) repository to save malicious scripts that were then periodically called through WMI bindings. Detailed examples of the use of such a technique are given in this article [PDF].

    File 365 malware protection options

    Microsoft 365 includes a new generation of security technologies to protect devices, SaaS applications, email and infrastructure from a wide range of attacks. The following are Microsoft 365 related Windows components that can detect fileless attacks and prevent infection.
    Along with special protection against fileless attacks, Windows 10 also includes other next-generation security technologies to counter attacks in general. For example, Windows Defender Application Guard allows you to stop the download and launch of malicious programs (both fileless and others) through Microsoft Edge and Internet Explorer. You can read more about the security and management features of Microsoft 365 in the Windows 10 Fall Creators Update here .

    Windows Defender Antivirus

    Windows Defender Antivirus (WDAV) blocks the vast majority of malware using common, heuristic and behavioral detection methods using both local and cloud based machine learning models. Windows Defender Antivirus provides protection against malware through the following features:

    • Detection of attacks using scripts using the AMSI anti- malware scanning interface , which allows you to scan PowerShell and other types of scripts even at several levels of masking.
    • Detection and removal of malware trying to persist through WMI by scanning the WMI repository - both periodic and when registering abnormal behavior.
    • Detect reflexive injection of DLLs using in-depth memory checking and behavior monitoring techniques.

    Windows Defender Exploit Guard

    Windows Defender Exploit Guard (WDEG) is a new set of host-level intrusion protection features that helps reduce the vulnerable zone by blocking a wide range of attack vectors on the device. The following methods are used to stop fileless attacks:

    • Protection against exploits of the memory core, such as EternalBlue, using the Hypervisor Code Integrity Service (HVCI), which with high efficiency prevents malicious code from being injected through vulnerabilities in kernel-mode software
    • Preventing memory exploits in user mode with the exploit protection module , which includes a number of tools to prevent exploits used at the operating system level or at the application level
    • Protect (among other things) from various file-free attacks using scripts by means of rules of reduction of a vulnerable zone (ASR) which block certain behavior of applications
    In addition to technical controls, effective administrative control of employees and processes is also important. To use fileless techniques on a remote computer using PowerShell scripts and WMI tools, an attacker needs privileged access to such a computer. Such access can be obtained if insufficiently secure administration methods are used (for example, setting up Windows service execution in the context of a domain administrator account) that allow to steal credentials. Read more about securing privileged access here .

    Windows Defender Application Control

    Windows Defender Application Control (WDAC) offers a mechanism for implementing strict code integrity policies and only allows trusted applications to run. To combat file-free attacks, this component puts PowerShell in restricted language mode , which prevents the use of advanced language tools that can run code that cannot be verified, for example, direct .NET scripts, calling the Win32 API through the Add-Type cmdlet and interacting with COM -objects. This effectively prevents reflexive library injection attacks through PowerShell.

    Windows Defender Advanced Threat Protection

    Service the Windows Defender the Advanced Threat Protection (WDATP) - an integrated platform protection jobs (Windows Endpoint Protection, EPP) and the means of detecting attacks on endpoints and to respond to these attacks (Endpoint Detection and Response, EDR) . If the security of the system has already been compromised, ATP notifies company users of sophisticated attacks of increased complexity on devices and corporate networks that could not be prevented with other preventive security measures. To detect such attacks, the service uses details from global security systems, advanced behavior analysis, and machine learning. It allows you to detect file-free malware in several ways:

    • Identify using special tools that detect abnormal memory allocation, hidden attacks using file-free methods such as reflexive injection of DLLs .
    • Detection of script-based file-free attacks using the AMSI anti-malware scanning interface , which checks when PowerShell and other components using scripts are run, and uses machine learning models.

    Microsoft Edge Browser

    According to NSS Labs , an independent security expert , the Microsoft Edge browser blocks more phishing sites and malware using social engineering methods than other browsers. Microsoft Edge counteracts file-free attacks with anti-arbitrary code features that block the execution of arbitrary code, including malicious DLLs. This helps to avoid reflexive DLL injection attacks. In addition, Microsoft Edge provides a wide range of protection against fileless and other threats through the integration of Windows Defender Application Guard and Windows Defender SmartScreen technology.

    Zaid Arafeh
    Senior Program Manager, Windows Defender Research Team

    Also popular now: