Cybersecurity: Non-malware attacks


For a long time now, attackers have based their attacks on executable files. They share these executable files on various platform such as gaming sites, hacking tools and keygens downloads, porn sites, pirated software and cracking tools sites. When you download and run these files, they install the malicious software into your devices. Antivirus programs have learned how the malware operate and they have put up measures against them. However, malware writers are now shifting to fileless/non-malware attacksUS restaurants are the most recent targets of such an attack with the FIN7 group being behind the attacks.

What is a non-malware attack?

According to Michael Viscuso of Carbon Black, fileless/non-malware attacks use authorized but vulnerable protocols, applications, and software existing on your computer to carry out malicious activities. Therefore, without using any malicious software/file, they gain control of your computer. The attack does not leave any traces that traditional antivirus scanners use to spot a malware making it remain undetected by virtually all the antivirus products in the market today.

The fileless malware is making use of administrative and security testing tools such as PowerShell, Mimikatz, and Metasploit to write dynamic link library files into the computer memory. If the malware wrote the files directly to the hard drive, any AV program would detect the activity, but since it is the administrative and security-testing tools that write the data into the computer memory, no antivirus program can pick it as a malicious activity.

According to the Vice President of Research and Development at Morphisec, Michael Gorelik, the fileless attacks easily bypasses security solutions based on dynamic, static, and behavior. He adds that these attacks pose a severe threat to small and medium-sized enterprises.

The Structure of the attack

It all starts with an unsuspicious well-structured phishing email in your inbox with an attached RTF word document. The malware writers ensure that they tailor the names of the attachment towards the particular individual/industry making it easier for you to open the files. For instance, in the recent restaurant attack, the attackers named the attachments “menu.rtf,” Chick Fil A Order.rtf, etc.  The restaurant staff thought that these were clients’ requests and went ahead to downloaded the files.

Once you download and open the RTF document, you get a word file containing a large envelope image with the instructions “Double Click Here to Unlock Content.” According to Morphisec researchers, you just need to double-click on the large envelope icon and then press “OK” on the dialogue box that appears. By doing this, you execute a JavaScript code that compiles and creates scheduled tasks, which constitutes the malware.

Here the rule of the thumb is; never open a .rtf extension attachment and if you accidentally happen to open one, NEVER disable Microsoft Office protected view. If by mistake, you turn off the protected view, contact us, we will help you out of the mess

Can you protect yourself against non-malware attacks?

According to a survey conducted by Carbon Black, about two-thirds of the researchers it polled are not confident of the traditional antivirus software’s ability to deal with non-malware attacks. However, Gartner, a research and advisory firm, confirms that that does not mean that you can not deal with the attacks, it just means that there is no sure way of blocking the attacks.

The researchers recommend the following ways of protecting yourself from the attack.

Consult Endpoint Protection Platform (EPP) vendors

As a business, you should consult your EPP suppliers and ask them what they are doing to protect the company against non-malware attacks.

Use Enhanced Mitigation Experience Toolkit (EMET)

EMET is a Microsoft’s software that protects applications by enforcing restrictions on them. For instance, it enforces data execution prevention (DEP) restrictions on memory use. It monitors an application’s memory use and shuts the applications down if their memory use goes beyond the average level.

PowerShell behavior monitoring

According to one of the researchers who filled Carbon Black’s questionnaire, Companies should monitor PowerShell for unusual behavior. If the PowerShell is trying to access an unusually high number of files within a very short time or it is making attempts at communicating outside the local network, these may be signs of an attack.