Recorded June 2020
TOPIC: Fileless Malware, we think NOT
OUR SPONSORS:
OUR GUESTS WILL BE:
Tyler Hudak - Practice Lead, Incident Response - TrustedSec
@secshoggoth
www.trustedsec.com
Martin Brough - Cybersecurity Expert for Acronis
@TheHackerNinja
Website - infosec512.com
Upcoming Training:
SANS DFIR Summit - Running Processes, the Red Team and Bad Actors are using them
July 17-18
Article in eForensics Magazine on ARTHIR covered in Episode 011
Visit the website and register to get the free edition
BSides Cleveland - Tyler’s Forensic Analysis
Friday June 19th - Tactical WIndows Forensics
https://www.bsidescleveland.com/training
Will be held and/or released at another event soon
Preparing for an Incident - NCC Group webinar.. Free to all
July 22nd
newsroom.nccgroup.com/events
Job Opp:
NCC Group has a position, remote, Incident Response engineer, with AWS, GCP, Azure experience. You get to work with ME.
https://nccgroup.wd3.myworkdayjobs.com/en-US/NCC_Group/job/Manchester/Senior-Cyber-Incident-Response_R2595
NEWS-WORTHY:
Cylance blocks LOG-MD-Premium Running Process check
Ticket opened, users must exclude LOG-MD from being checked
Windows malware opens RDP ports on PCs for future remote access
https://www-zdnet-com.cdn.ampproject.org/c/s/www.zdnet.com/google-amp/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/
Exploit code for wormable flaw on unpatched Windows devices published online
(SMBGhost) - Processing of a malformed compressed message - Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as ThreatPost points out, is the same version that was targeted by the WannaCry ransomware a couple of years ago
The US Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible
ENABLE THE WINDOWS FIREWALL !!!! BLock SMB to workstations, and you will get better logging too ;-)
https://arstechnica.com/information-technology/2020/06/exploiting-wormable-flaw-on-unpatched-windows-devices-is-about-to-get-easier/
Microsoft warns of vulnerabilities in SMBv3 (Eternal Darkness)
Microsoft warns of vulnerabilities in SMBv3
Netwalker Fileless Ransomware Injected via Reflective Loading
https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/
80% of hacking-related breaches leverage compromised credentials
https://securityboulevard.com/2020/06/80-of-hacking-related-breaches-leverage-compromised-credentials/
SITE-WORTHY:
THE IR Crew
MITRE ATTACK
https://attack.mitre.org/
Guest - Tyler
Guest - Martin
Sandbox - https://app.any.run
TOOL-WORTHY:
The IR crew
LOG-MD-Professional
Volatility
Guest 1 - Tyler
MFTECmd
KAPE, or rawcopy, or other tools to capture MFT before processing
Guest 2 - Martin
NetworkMiner
MALWARE OF THE MONTH:
Dridex fileless malware:
Key Detection points
Well… in memory only “fileless”
Rundll32 calling malicious DLL
Parent Child relationship
Rundll32.exe calling SysWow64\Rundll32.exe
PREVENTION
Scan email attachments
Block Macro execution
Block uncategorized websites
Application Whitelist Users directory
Lock down PowerShell
EDR
TOPIC OF THE DAY:
Fileless Malware, we don’t think so
What is “Fileless Malware”?
Cyberreason - Unlike file-based attacks, fileless malware does not leverage traditional executable files. Fileless attacks abuse tools built-in to the operating system to carry out attacks. Essentially, Windows is turned against itself.
Without an executable, there is no signature for antivirus software to detect. This is part of what makes fileless attacks so dangerous - they are able to easily evade antivirus products.
McAfee - Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.
CarbonBlack - Fileless malware refers to a cyberattack technique that uses existing software, allowed applications, and authorized protocols to carry out malicious activities.
WikiPedia - Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM.
It does not write any part of its activity to the computer's hard drive meaning that it's very resistant to existing Anti-computer forensic strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify illegitimate activity.
As malware of this type is designed to work in-memory, its longevity on the system exists only until the system is rebooted.
MGs definition
So what do WE think Fileless Malware is?
The IR crew
Tyler
Martin
A better way to define Fileless Malware and WHY
Memware
Regware
WMIware
PowerShellware
Wormware
LolBin/LolBasware
And malware
.NETware compile on the fly (compileware)
bootware
How does this change our evaluation of malware?
How does this change our IR or THreat Hunting process?
How does this change how we detect and alert on malware?
Final thoughts
Other Articles:
-------------------
Cybereason - FILELESS MALWARE 101: UNDERSTANDING NON-MALWARE ATTACKS
https://www.cybereason.com/blog/fileless-malware
McAfee - What Is Fileless Malware?
https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html