A stereotypical malware attack uses malicious macros or executables to deliver a payload onto a device. Anti-malware systems stop these files from executing by first scanning them and then quarantining them if anti-malware detects malicious binaries. Attackers are always finding new ways to avoid anti-malware systems, and their new way of avoiding detection is the use of a new technique called “living off the land” binaries or LOLBins. These attacks deliver an initial innocuous file to a user and then use native binaries already installed on the device to retrieve the malicious content.
How the Attack Works
The term “fileless” is given to these attacks, because they do not require any data written to the local drive. They usually start within a user’s browser using a web-based application. The best example of a widespread, successful fileless attack is the Nodersok campaign launched against Windows computers using HTA files and Node.exe.
The Nodersok campaign used an HTA (HTML application) file to initialize an attack. Users were either sent an email asking them to click an HTA link or tricked into downloading the file from an attacker-controlled, malicious web page. HTA applications are older frameworks rarely used in the wild since the early 2000s, so users do not normally recognize it has a web-based application that can give malicious scripts access to their local device. Attackers can run VBScript code in an HTA window, which is not an option with a standard HTML browser window without the user’s permission.
With the HTA running in the browser, the attacker uses JavaScript or an XSL file that contains JavaScript to download additional files. After these files are downloaded, PowerShell is used to download a list of files used for the final payload. PowerShell is a scripting interface native to any current Windows operating system including the older Windows 7. It’s a powerful administrator tool that can make changes to a local device or network resources.
With a PowerShell instance running in the background, the Node.js environment (Node.exe for Windows) is downloaded. Windivert (a packet sniffer for Windows) is also downloaded, along with the final payload file app.js. The app.js file is the attacker’s code that turns the local machine into a proxy.
Nodersok’s main goal is click fraud. Click fraud occurs when a user uses methods to click ads (e.g. Google Adwords, Bing Ads or Facebook Ads) and pocket money without sending the advertiser legitimate traffic. Click fraud costs advertisers thousands (even millions for large advertisers), and it’s against any network’s terms of service. However, using zombie machines (as they are often called) makes it look like the advertiser is receiving valid clicks from real users, making it harder to detect for the advertising network.
Nodersok is just one example of a fileless attack that has a somewhat harmless payload for the end-user. The advertiser is at risk of losing money, but no data is stolen or destroyed in the process. However, since LOLBin attacks use native applications already installed on the computer, future ones could be much more harmful to the user’s data integrity and privacy. Using trusted procedures with seemingly harmless fines is how these attacks are difficult to detect in the wild.
Protecting Computers from Fileless Attacks
Because the initial file does not have the malware payload, most anti-malware systems do not detect LOLBin attacks. Additionally, with some attacks such as the Nodersok campaign, the malware uses PowerShell to disable antivirus and anti-malware software. Nodersok specifically targeted Windows machines and disabled Microsoft Defender, which is an anti-malware application pre-loaded on Windows machines.
The attack starts with a phishing campaign. To protect enterprise machines from fileless attacks, the primary defense is to stop phishing attacks and block the websites that host the malicious files. This can be difficult as users must be trained to identify phishing attacks. Even with the best training, phishing attacks at a massive scale usually trick at least one user into downloading malicious content, so training is not enough.
One method to stop these phishing emails is to use email filters. The latest email filters incorporate artificial intelligence (AI) with detection methods that can crawl attachments and identify if they contain malicious macro code. These email filters also detect links that could point to an attacker-controlled site. Administrators used to block all attachments sent by outside users to internal employees to avoid malware, but this method is not feasible anymore for large companies where employees must interact with outside customers and vendors. Intelligent email filters stop attacks from ever reaching a user’s inbox.
Quarantining email messages with attachments is another option to protect from phishing. Quarantined files are stored in a sandboxed area of the network where administrators can review file content. If the content is determined to be malicious, it can be purged from the system. Legitimate content can be passed to the recipient, and the settings for the quarantine filters edited to avoid false positives.
Administrators can also take measures to protect the local machine should a user happen to download a malicious file. LOLBins targeting Windows, for instance, normally use PowerShell to configure the local machine and download additional files. To make changes to the local machine, the user must have permissions to make these changes. Administrators can block changes using Active Directory and the Local Security Policy console. Using the right user policies, administrators can block some of the fileless malware changes to a local system.
In addition to intelligent email security, basic antivirus, network monitoring, intrusion detection and prevention should also be implemented. Intrusion detection systems will detect any suspicious traffic on the network should a user mistakenly download malware.
Conclusion
Phishing is a primary vector for many of the malware applications in the wild. It only takes one user mistake to spread malware across several machines. The malware could be LOLBin attacks or more damaging malware such as ransomware. The only way for organizations to stop phishing before it can turn into a successful malware attack is stop email messages from reaching the recipient’s inbox and restricting access to tools that would deliver a payload.
