Cylance vs. Man1 Group: The Redux

Background

Fileless malware is malicious software that does not present itself as one would normally expect – as an .exe or .dll executable file. In fact, fileless malware may never even save any files on disk at all.

This is exactly what Hancitor does. Hancitor is contained within a weaponized document that comes from the world of the Man1 group. Attackers are now sending malicious emails containing Word attachments with embedded macros. And this is no ordinary macro. The author took the time to write their own base64 decoder and the payload (Hancitor) was encoded and embedded within a secret form field in the macro.

Hancitor is interesting because instead of dropping an executable file on disk and launching it with a macro, the payload is actually encoded into the macro itself and when launched, carves out some space in the system’s memory and executes itself there, so avoiding dropping the file to disk.

Watch Cylance take on fileless malware in our demo video:


VIDEO: Cylance vs. Fileless Malware 

Why is Fileless Malware an Important Issue and Why Should I Be Concerned?

While rare, truly fileless malware is becoming increasing more prevalent because of its ability to evade traditional anti-malware applications. By not dropping files to disk, fileless malware is able to avoid detection until the code has injected itself into memory and is running.

Even anti-malware applications that can inspect macros have difficulty detecting Hancitor because of its unique encoding. The Man1 group doesn’t rely on just any out-of-the-box malware, but instead produces very carefully crafted and engineered malware that continues to bypass anti-malware solutions.

In addition, many organizations rely on ‘perimeter’ defenses to help take out malware before it gets to the end-user’s computer. In this case, Hancitor would not be detected by gateway anti-malware defenses as it (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog