Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Recent Fileless Attacks Linked to Single Framework, Researchers Say

A series “fileless attacks” previously attributed to two different threat attackers are now believed to have been carried out by the same actor, from a single attack framework, Israeli security firm Morphisec reveals.

A series “fileless attacks” previously attributed to two different threat attackers are now believed to have been carried out by the same actor, from a single attack framework, Israeli security firm Morphisec reveals.

Starting on March 8, Morphisec researchers began investigating a new fileless attack carried out via a macro-enabled Word document attached to a phishing email that targeted high-profile enterprises. Their investigation led them to the discovery of a sophisticated fileless attack framework associated with multiple recent campaigns.

Last month, Kaspersky Lab uncovered a campaign comprised of more than 140 attacks aimed at banks, telecom companies and government organizations in the United States, the United Kingdom, France, Ecuador, Kenya, Brazil, Spain, Israel and 32 other countries. Common to these attacks was the use of PowerShell scripts to store the malicious code in memory and avoid leaving traces on the compromised machines.

In early March, Cisco detailed a so-called DNSMessenger attack, where threat actors were using a malicious Word document and a PowerShell RAT that could communicate with the command and control (C&C) servers via DNS requests. This sophisticated attack was also completely fileless and invisible to most standard anti-malware defenses.

Another recently spotted fileless attack was installing a PowerShell backdoor dubbed POWERSOURCE onto infected computers, which FireEye linked to a threat group called FIN7. The actor has been targeting organizations in the United States, focusing on personnel that handle filings to the Securities and Exchange Commission (SEC).

According to Morphisec, all these attacks are actually linked to each other, and all had been leveraging the same fileless attack framework that the security company managed to access. In fact, the company says that the same threat group is responsible for all of the attacks.

“Based on our findings, a single group of threat actors is responsible for many of the most sophisticated attacks on financial institutions, government organizations and enterprises over the past few months,” the security researchers reveal. What Morphisec doesn’t say, however, is who these actors are. 

The security researchers even had a brief encounter with these actors, “via the very same PowerShell protocol used for the attack delivery,” which revealed that the hacker was part of an organization targeting specific companies. Following the encounter, the cybercriminals shut down the C&C server, which might have resulted in the loss of foothold in the systems connected to that server.

Similar to previously described campaigns, the attack uses a weaponized Word document that delivers a PowerShell agent capable of opening a backdoor and establishing persistency. In most cases, the actors then move to delivering different PowerShell commands through the C&C, depending on the target.

“For some targets, the attack was fully fileless, eventually delivering a Meterpreter session directly to memory. In other cases, the password-stealer LaZagne Project or another Python executable was delivered and executed. After additional investigation, we identified controllers for different protocols including Cmd, Lazagne, Mimikatz and more,” Morphisec explains.

The malicious Word document claims to be protected and asks the potential victims to enable the content to view it, which allows the macros to run. The included PowerShell executes using Windows Management Instrumentation (WMI), a technique already adopted by various malware families to evade detection.

After several decryption stages, the decrypted PowerShell is saved to the disk. The script observed in one attack was found to be an agent capable of receiving commands from the C&C, execute them and return the results. The malware was also found to lower Office’s macro restrictions to allow for other macro-based documents to be automatically executed.

“In the course of our research the attacker briefly interacted with us. It was clear that a person from the other side was waiting to connect on his Meterpreter session. During the brief interaction, our researchers tried to identify the actor. The attackers immediately blocked the connection and later shut down the C&C server entirely, thereby losing their foothold in the systems of victims connected to that communication server,” Morphisec says.

The security researchers note that the fileless attacks are on the rise and could prove a bigger problem than currently believed. Because the malware resides solely in the memory and commands are delivered directly from the Internet, there is no executables on disk, making the attack basically invisible.

Related: Cybercriminals Target Employees Involved in SEC Filings

Related: Researchers Uncover Sophisticated, Fileless Attack

Related: Legitimate Tools Abused For Fileless Infections

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.