In early 2018, there is a shift from using malicious.exe for PDF, DOC attachments via emails to fileless techniques to deploy malware in the systems. Fileless malware also known as an invisible threat. It is hard to detect as it resides in system memory and Windows tools are hijacked to perform these attacks. So there is no interference of victim in these kinds of attacks.
Using tools already installed on PC or run simple scripts and shell-code in memory via Windows Power Shell. The malicious scripts are also frequently hidden in the windows registry and Windows Management System (WMS). This technique is also “Living Off the Land”.
Fileless attacks were at its highest peak in 2017 and early 2018 as fileless malware is so powerful that security products cannot just block the systems or software that these are utilizing RAM and Windows tools and it does not have any executable file (Malicious files) on disk to detect. Fileless malware does not leave any traces behind some of fileless attacks were Kovter, Hancitor, Sorebrect ransomware.
Fileless attacks technique mostly uses below:
- Windows registry manipulation
- Memory code injection
- Powershell, Wscript or Cscript based
It is estimated that in 2018 almost 35 percent of cyber attacks are comprised of fileless technique.
Exploits: Exploits are programs or code that take the advantage of any system vulnerability (flaws) to performed attack on a system or use for gaining privileged access and thereby control the system. Exploits attacks are considered powerful as they do not require interaction with victims.
In recent days of 2018, research revealed that nearly every computer chip manufactured in the last 20 years contains two major vulnerabilities known as spectre (cve-2017-5753) and meltdown(cve-2017-5715). Microsoft has released its patches to fix this but still, its traces remain and they are trying to completely eliminate it. Some zero-day exploits including flash (cve-2018-4878) and internet explorer (cve-2018-8174). In addition to this, adobe reader zero-day (cve-2018-4990) and flash player vulnerability (cve-2018-5002) which allows a maliciously crafted flash object to execute code on victims computer these vulnerabilities are fixed by Adobe but it was largely hampered in middle east countries.
There are basically two types of exploits: Known and Unknown. Known Exploits are those who take the advantage of a known vulnerability in software and systems. Developers have already created patches for the same but it is not easy to maintain for every piece of software. Unknown exploits or Zero-Day are those which are not yet been in Public. This can be due to Cybercriminals have spotted it before the developers and users as an opportunity to carry out exploit attack.
How can attacks be avoided?
- There are not full-fledged detection provided by security antivirus for these attacks. But take some preventive measures to avoid these attack.
- Keep Windows, software’s (Adobe, MS-Office etc) up to date.
- Regularly scan PC for infections, vulnerabilities and keep antivirus updated.
- Install browsers protection on PC and disable direct plugins download of software like Adobe.
- Disable Power shell and WMI if not using.
- Security is getting more expensive and difficult to manage so little awareness can secure business.
- Install an advanced internet security software like REVE Antivirus capable of detecting and blocking malicious documents, spam, and exploits that are designed to take advantage of installed software’s, browsers and system vulnerabilities.