When it comes to being devious, cybercriminals are relentless and in their world this means seeking out new ways of thievery. Those that specialise in malware have been using standard methods for the last number of years. As security software and firewalls begin catching them, they are now developing a newer way to access your data and this involves what is being called “fileless malware.”
Cybercrime relies on the fact that they won’t be detected and is a numbers game. The more that they can infect and move on, the higher their chances of stealing information. Previous methods to distribute malware has included phishing schemes that lure the reader into clicking on a link, logging into what seems to be a valid access portal or accessing an infected website. The most recent shift in sophistication for the criminals has been in transitioning their shift away from the most popular malware methods and into ways that your security can’t detect them. Their answer has been to design what appears to be a takeover of some of the legitimate Windows tools such as WMI (Windows Management Instrument) or PowerShell. These components are so trusted within the Windows systems that few (if any) security scans include them in their scans.
How It Works:
Cybercriminals still depend on a way to get a user to the locale that will catapult their takeover. This is typically via an email that may appear to be from a valid sender that you are familiar with or even one that makes promises that are appealing. It may also be a marketing notification on a product or service that you were interested in and it sends you to an infected website. Either way, the goal is to get you to “click” and once you do, it loads Flash player that will then begin to make changes.
Flash will access PowerShell and using only the memory in the computer, sends instructions to go to the command line where it will inform it to download a copy of the malicious script to PowerShell. This script is designed to collect sensitive data and then send it back to the criminals. The success is the fact that the crime circumvented the antivirus software as well as any malware defenses.
Ways to Stop Fileless Malware:
While the criminals like to boast that their newer creations are not detectible, there are ways that you can help to protect yourself. These steps are not considered to be “foolproof” but they assist in a systematic and layered approach to help to reduce your risk.
- When you aren’t using WMI and PowerShell, disable them.
- If you aren’t using macros, disable them. If you are using macros, only use those vetted for the company and make use of digital signatures. If you don’t see a signature, don’t use it.
- Ensure that you do regular security log checks to monitor the data that is “leaving” the network. If you see anything that appears to be a large amount of data, it may be a criminal.
- In the same tone, monitoring the system behaviour will also alert you to anything that is unusual. Compare it to the system history as a baseline.
- Make sure that your system software is updated on a regular basis.
“Da Vinci Forensics maintains all of the current information that we use to counsel, offer advice, and work with our clients to protect them. Cybersecurity is considered to be part of today’s business expenses and as criminals advance in their attacks we should be counteracting to assure that proprietary and customer data is secure. Our team will coordinate with you and your IT Department for the checks and balances needed in your network.”
Tech Team @ Da Vinci Forensics