The Analyst Prompt #10: AI Facial Recognition Used in Ukraine/Russia War Prone to Vulnerabilities

by EclecticIQ Threat Research Team on June 9, 2022

tap-10

Malware Trends: Responding to Fileless Malware Requires Forward Leaning Vulnerability Management

It appears 2022 is the year fileless malware becomes a more frequent threat. A fileless malware attack is a technique threat actors use to inject malicious code directly into the memory of either a mobile device or a computer, rather than dropping a malicious file on the device’s disk. All operating systems are vulnerable to these attacks; common TTPs include Vermillion for Linux, Cobalt Strike for Windows, and the Lazarus Group for MacOS (2, 4). These attacks are currently utilizing social engineering tactics to compromise a system by sending phishing messages containing malicious links the user needs to click on, mobile text messages, or phone calls directing the user to visit a certain malicious site to steal credentials (2, 6). Once the user activates the link, the process uses Flash or equivalent software to open Windows PowerShell and run commands operating on memory to inject a payload instructing the device to carry out malicious behavior like data exfiltration, or to run malicious scripts from a botnet (3). Fileless malware is the least detectable because it contains no identifiable signature or behavior, no files to scan as it relies on memory, and can exist with ransomware such as Ryuk or Conti (4, 5). Typical detection methods, for this reason, will not be successful.

Fileless malware cannot infect a device without exploiting a vulnerability to obtain administrative privileges in an operating systems tool like PowerShell (22, 23). A “perfect” patch management program would be the optimal solution but may not be the most realistic solution examined by EIQ intelligence analysts. The first step in protecting against fileless malware is to have visibility into the operating environment that includes a thorough understanding of the corporate network, how it connects to personal and corporate mobile devices, and what opportunities for segmentation exist to block critical pathways into high-value assets. Prioritizing key environmental infrastructures, such as those created by VMware, Azure, or AWS is ideal as vulnerabilities are exploited more frequently than the day after Microsoft’s “Patch Tuesday”. Ransomware and other destructive malware types can take over a system in just a few minutes as examined by EclecticIQ analysts (1,5).