If one thought May 2017’s WannaCry ransomware scare was bad, it’s just the beginning. Each year, as more ransoms are paid, the cybercriminals have more capital to invest in new technologies and techniques. One of their most promising techniques is fileless infections or scripting attacks.
Historically, malware and now ransomware sneaked a program onto a computer, and then either overtly or covertly attempted the execution of said file. The common thread in these attacks is that a file is downloaded and then attempts to execute. The architecture of antivirus software employs a file system driver. This driver traps the file and then determines whether it can execute.
A fileless malware does not drop a file and bypasses the file system driver of mainstream AV. Instead, scripts are written and executed through known good script engines such as Powershell, MSHTA, Cscript and Wscript. Show and tell time.
S07R=new ActiveXObject(“WScript.Shell”); e91eHqEE=”l”; l21MJb=S07R.RegRead (“HKCU\\software\\lfxqiypm\\qkkqsiqrqk”); g0dn1w=”jSJKZ”; eval(l21MJb); GQEXz2t=”apyD”;”
The above command invokes MSHTA which is a known good commonly used Microsoft application. The command calls Javascipt which in turn calls Wscript to execute a script from a registry key named with random characters. Since the script resides in a registry key, there is no file for the file system driver to analyze.
The above command instructs Powershell, another valid Microsoft scripting engine, to execute a script from an environment variable named with random characters. Since the script resides in a environment variable rather than a file, the file system driver has zero visibility on this type of activity.
If one does a search on the strange string “gexywoaxor”, one learns that this malware is a banking trojan called Zeus Panda discovered by Forcepoint.
The article is dated July 2016, and PC Matic blocked the sample in November 2016, 4 months later.
|Forcepoint Sample||PC Matic Sample|
|Date||Jul 2016||Nov 2016|
|Script File Name||r3ak.tmp||OTTYUADAF|
In those four months, there were noticeable changes in the attack method, yet the critical encryption key “gexywoaxor” remained unchanged. The fact that a new encryption key was not required, is a sign that this virus was successful in delivering its payload.
Scripting attacks or fileless infections are here today. 25% of all the malware PC Matic blocks is at the script level. In fairness, in today’s environment, frequently, a scripting attack involves dropping a file later to be executed. In that instance, there is a second point at which a file system driver / black list approach can catch and block the intrusion. The problem is that not all scripting attacks drop a file, and that represents a security hole in your company’s antivirus.