Recorded June 2020

TOPIC: Fileless Malware, we think NOT

OUR SPONSORS:

OUR GUESTS WILL BE:

• Tyler Hudak - Practice Lead, Incident Response - TrustedSec

  • @secshoggoth

  • www.trustedsec.com

• Martin Brough - Cybersecurity Expert for Acronis

  • @TheHackerNinja

  • Website - infosec512.com

Upcoming Training:

• SANS DFIR Summit - Running Processes, the Red Team and Bad Actors are using them

  • July 17-18

• Article in eForensics Magazine on ARTHIR covered in Episode 011

  1. Visit the website and register to get the free edition

• BSides Cleveland - Tyler’s Forensic Analysis

  1. Friday June 19th - Tactical WIndows Forensics

  2. https://www.bsidescleveland.com/training

  3. Will be held and/or released at another event soon

• Preparing for an Incident - NCC Group webinar.. Free to all

  1. July 22nd

  2. newsroom.nccgroup.com/events

Job Opp:

• NCC Group has a position, remote, Incident Response engineer, with AWS, GCP, Azure experience.  You get to work with ME.

  • https://nccgroup.wd3.myworkdayjobs.com/en-US/NCC_Group/job/Manchester/Senior-Cyber-Incident-Response_R2595

NEWS-WORTHY:

Cylance blocks LOG-MD-Premium Running Process check

• Ticket opened, users must exclude LOG-MD from being checked

Windows malware opens RDP ports on PCs for future remote access

• https://www-zdnet-com.cdn.ampproject.org/c/s/www.zdnet.com/google-amp/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/

Exploit code for wormable flaw on unpatched Windows devices published online

• (SMBGhost) - Processing of a malformed compressed message - Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as ThreatPost points out, is the same version that was targeted by the WannaCry ransomware a couple of years ago

The US Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible

ENABLE THE WINDOWS FIREWALL !!!! BLock SMB to workstations, and you will get better logging too ;-)

• https://arstechnica.com/information-technology/2020/06/exploiting-wormable-flaw-on-unpatched-windows-devices-is-about-to-get-easier/

Microsoft warns of vulnerabilities in SMBv3 (Eternal Darkness)

• Microsoft warns of vulnerabilities in SMBv3

Netwalker Fileless Ransomware Injected via Reflective Loading

• https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/

80% of hacking-related breaches leverage compromised credentials

• https://securityboulevard.com/2020/06/80-of-hacking-related-breaches-leverage-compromised-credentials/

SITE-WORTHY:

• THE IR Crew

  1. MITRE ATTACK

     1. https://attack.mitre.org/

  1. Guest - Tyler

     1. https://www.incidentresponse.com/playbooks/

  2. Guest - Martin

     1. Sandbox - https://app.any.run

TOOL-WORTHY:

• The IR crew

  1. LOG-MD-Professional

  2. Volatility

• Guest 1 - Tyler

  1. MFTECmd

     1. https://github.com/EricZimmerman/MFTECmd/releases

     2. KAPE, or rawcopy, or other tools to capture MFT before processing

• Guest 2 - Martin

  1. NetworkMiner

     1. https://www.netresec.com/?page=NetworkMiner

MALWARE OF THE MONTH:

Dridex fileless malware:

1. Key Detection points

   • Well… in memory only “fileless”

   • Rundll32 calling malicious DLL 

   • Parent Child relationship

   • Rundll32.exe calling SysWow64\Rundll32.exe

1. PREVENTION

   1. Scan email attachments

   2. Block Macro execution

   3. Block uncategorized websites

   4. Application Whitelist Users directory

   5. Lock down PowerShell

   6. EDR

TOPIC OF THE DAY:

Fileless Malware, we don’t think so

1. What is “Fileless Malware”?

   1. Cyberreason - Unlike file-based attacks, fileless malware does not leverage traditional executable files. Fileless attacks abuse tools built-in to the operating system to carry out attacks. Essentially, Windows is turned against itself.

Without an executable, there is no signature for antivirus software to detect. This is part of what makes fileless attacks so dangerous - they are able to easily evade antivirus products.

1. McAfee - Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.

2. CarbonBlack - Fileless malware refers to a cyberattack technique that uses existing software, allowed applications, and authorized protocols to carry out malicious activities.

3. WikiPedia - Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM.

It does not write any part of its activity to the computer's hard drive meaning that it's very resistant to existing Anti-computer forensic strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify illegitimate activity.

As malware of this type is designed to work in-memory, its longevity on the system exists only until the system is rebooted.

MGs definition

1. So what do WE think Fileless Malware is?

   1. The IR crew

   2. Tyler

   3. Martin

2. A better way to define Fileless Malware and WHY

   1. Memware

   2. Regware

   3. WMIware

   4. PowerShellware

   5. Wormware

   6. LolBin/LolBasware

   7. And malware

   8. .NETware compile on the fly (compileware)

   9. bootware

3. How does this change our evaluation of malware?

4. How does this change our IR or THreat Hunting process?

5. How does this change how we detect and alert on malware?

6. Final thoughts

Other Articles:

-------------------

Cybereason - FILELESS MALWARE 101: UNDERSTANDING NON-MALWARE ATTACKS 

• https://www.cybereason.com/blog/fileless-malware

McAfee - What Is Fileless Malware?

• https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html