A new threat is targeting large companies: malware called fileless does not infect files but resides in the RAM of the victim PC. The most exploited types of attacks nowadays use so called fileless malware and do not involve the installation of any file on the hard disk. Therefore, it is clear that traditional antivirus are not able to detect the threat and attackers are increasingly exploiting these technologies.
Hackers prefer fileless attacks because:
- they are extremely quiet, operating directly in memory or in the registry;
- They are not persistent per se and make forensic activities extremely complicated;
- They do not require the installation of external tools but they use what is natively available;
- they are executable in a simple way because they are present in frameworks freely available on the market, such as Cobalt Strike, Metasploit and Empire. Let’s think specifically about Meterpreter, made available in Metasploit Framework. It perfectly embodies the fileless payload typology. It must be underlined that all these frameworks are studied and proposed for ethical hacking activities but, often, they are also exploited by cyber criminals.
A cyber attack carried out using fileless malware occurs in two phases.
Phase 1: Initial system compromise
- Remote exploit execution
- Brute force attacks
- Script-based attacks
Phase 2: Post Exploitation
- Privilege escalation
- UAC bypass
- Credential dumps
- Execution of payloads
- reflective DLL Injection
- Persistence
- placement of malicious scripts in the registry
- GPO exploitation
- exploitation of Windows Management Instrumentation
- Lateral movements via remote access tools and software execution
However, the general guidelines are to keep your systems up-to-date, especially with the installation of security patches. These updates are able to eliminate or limit the attack surface for an attacker who, let’s remember, uses the “live off the land” method. Less vulnerable software, less risk.
Always use common sense when handling email and surfing the Internet. Fileless malware, as in the case of Rozena, is often delivered using social engineering techniques. Be careful and ask your IT department before proceeding to open an attachment contained in a suspicious email or accepting the execution of software on a website of dubious reputation.