Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Recent Fileless Attacks Linked to Single Framework, Researchers Say

A series “fileless attacks” previously attributed to two different threat attackers are now believed to have been carried out by the same actor, from a single attack framework, Israeli security firm Morphisec reveals.

A series “fileless attacks” previously attributed to two different threat attackers are now believed to have been carried out by the same actor, from a single attack framework, Israeli security firm Morphisec reveals.

Starting on March 8, Morphisec researchers began investigating a new fileless attack carried out via a macro-enabled Word document attached to a phishing email that targeted high-profile enterprises. Their investigation led them to the discovery of a sophisticated fileless attack framework associated with multiple recent campaigns.

Last month, Kaspersky Lab uncovered a campaign comprised of more than 140 attacks aimed at banks, telecom companies and government organizations in the United States, the United Kingdom, France, Ecuador, Kenya, Brazil, Spain, Israel and 32 other countries. Common to these attacks was the use of PowerShell scripts to store the malicious code in memory and avoid leaving traces on the compromised machines.

In early March, Cisco detailed a so-called DNSMessenger attack, where threat actors were using a malicious Word document and a PowerShell RAT that could communicate with the command and control (C&C) servers via DNS requests. This sophisticated attack was also completely fileless and invisible to most standard anti-malware defenses.

Another recently spotted fileless attack was installing a PowerShell backdoor dubbed POWERSOURCE onto infected computers, which FireEye linked to a threat group called FIN7. The actor has been targeting organizations in the United States, focusing on personnel that handle filings to the Securities and Exchange Commission (SEC).

According to Morphisec, all these attacks are actually linked to each other, and all had been leveraging the same fileless attack framework that the security company managed to access. In fact, the company says that the same threat group is responsible for all of the attacks.

“Based on our findings, a single group of threat actors is responsible for many of the most sophisticated attacks on financial institutions, government organizations and enterprises over the past few months,” the security researchers reveal. What Morphisec doesn’t say, however, is who these actors are. 

The security researchers even had a brief encounter with these actors, “via the very same PowerShell protocol used for the attack delivery,” which revealed that the hacker was part of an organization targeting specific companies. Following the encounter, the cybercriminals shut down the C&C server, which might have resulted in the loss of foothold in the systems connected to that server.

Advertisement. Scroll to continue reading.

Similar to previously described campaigns, the attack uses a weaponized Word document that delivers a PowerShell agent capable of opening a backdoor and establishing persistency. In most cases, the actors then move to delivering different PowerShell commands through the C&C, depending on the target.

“For some targets, the attack was fully fileless, eventually delivering a Meterpreter session directly to memory. In other cases, the password-stealer LaZagne Project or another Python executable was delivered and executed. After additional investigation, we identified controllers for different protocols including Cmd, Lazagne, Mimikatz and more,” Morphisec explains.

The malicious Word document claims to be protected and asks the potential victims to enable the content to view it, which allows the macros to run. The included PowerShell executes using Windows Management Instrumentation (WMI), a technique already adopted by various malware families to evade detection.

After several decryption stages, the decrypted PowerShell is saved to the disk. The script observed in one attack was found to be an agent capable of receiving commands from the C&C, execute them and return the results. The malware was also found to lower Office’s macro restrictions to allow for other macro-based documents to be automatically executed.

“In the course of our research the attacker briefly interacted with us. It was clear that a person from the other side was waiting to connect on his Meterpreter session. During the brief interaction, our researchers tried to identify the actor. The attackers immediately blocked the connection and later shut down the C&C server entirely, thereby losing their foothold in the systems of victims connected to that communication server,” Morphisec says.

The security researchers note that the fileless attacks are on the rise and could prove a bigger problem than currently believed. Because the malware resides solely in the memory and commands are delivered directly from the Internet, there is no executables on disk, making the attack basically invisible.

Related: Cybercriminals Target Employees Involved in SEC Filings

Related: Researchers Uncover Sophisticated, Fileless Attack

Related: Legitimate Tools Abused For Fileless Infections

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.