Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fileless Malware / Click Fraud Malware Campaign


  • Please log in to reply
3 replies to this topic

#1 _Guess_Who_

_Guess_Who_

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:18 AM

Posted 19 November 2017 - 08:26 AM

I searched this website (bleepingcomputer.com) with one of the IOC (indicator of compromise) of a click fraud / trojan (depending on which advisory you follow) malware, as there is no thread / article with this information. I'm posting in the interest of the community and reseachers. This seems to be a moderately sophisticated type of attack involving new genre of malware which do not have residual files on the system and hence are termed "Fileless" malware.

 

I found this while helping a friend of mine with his PC. Since I had configured logging for his PC, I saw in logs that msiexec.exe was connecting to soplifan[.]ru ... Doing some research I saw this domain as part of two (maybe one single) campaign involving fileless malware. 

 

 

Read more here:

https://www.nominum.com/tech-blog/detecting-file-less-malware-file-less-detection/

https://gbhackers.com/fileless-malware-wuth-powershell-scripts/

 

 

I personally allow limited executable files internet access. I restrict internet access to msiexec.exe which in most circumstances will contact Microsoft and / or publisher of a software to check for digital signature of the software being installed. I usually compare file checksum or PGP signature and hence don't need msiexec.exe to connect to the internet. 

 

While I haven't completed analysis of my friends machine, what are thoughts of members who have seen this  /  such malware on a proactive fix?

I recommend my friends to disable (through ACL) / uninstall PowerShell which does take care of moderate to advance type of attacks especially fileless malware attacks. Are there any other steps for this type of attacks?


Edited by _Guess_Who_, 19 November 2017 - 09:37 AM.


BC AdBot (Login to Remove)

 


#2 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:18 AM

Posted 19 November 2017 - 11:45 AM

This malware is detected as: Trojan.Multi.GenAutorunReg.a by Kaspersky. It seems to be a generic detection name as I see posts dating back 2015 and hence may not correspond to the fileless malware I've started the thread about. However through the name I have found the article by Kaspersky: 

 

https://media.kaspersky.com/en/business-security/fileless-attacks-against-enterprise-networks.pdf



#3 Umbra

Umbra

    Authorized Emsisoft Rep


  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:18 PM

Posted 19 November 2017 - 10:08 PM

While I haven't completed analysis of my friends machine, what are thoughts of members who have seen this  /  such malware on a proactive fix?

I recommend my friends to disable (through ACL) / uninstall PowerShell which does take care of moderate to advance type of attacks especially fileless malware attacks. Are there any other steps for this type of attacks?

In the absolute, uninstalling powershell is not enough to "block'em all" since fileless malware can embark their own powershell (or other interpreters) , one solution is to remove .net platform (but be aware of the consequences it may has on software using it).

 

About preventing fileless malware, it isn't easy task but not impossible (unless you are specifically targeted), they all comes from the same vectors, so any user with decent safe habits may avoid the threat.

 

Also using some security solutions with behavioral monitoring mechanism will help.



Emsisoft Community Manager


#4 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:18 AM

Posted 20 November 2017 - 01:11 AM

Thanks Umbra! The way I detected it (there was an updated antimalware running on the system - enterprise grade!) was through msiexec connecting to a .ru domain. I feel as part of solid information security posture blocking TLD's you don't need access to also helps! I will look at more ways to block such malware and update this thread! One more way is to block execution from %temp%.. I generally use a blanket ban of execution of files from: C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files

C:\WINDOWS\Registration\CRMLog
C:\WINDOWS\Tasks
C:\Windows\Temp
c:\windows\Registration\CRMLog
c:\windows\System32\com\dmp
c:\windows\System32\FxsTmp
c:\windows\System32\spool\PRINTERS
c:\windows\System32\spool\drivers\color
c:\windows\System32\Tasks
c:\windows\SysWOW64\com\dmp
c:\windows\SysWOW64\FxsTmp
c:\windows\SysWOW64\Tasks
c:\windows\tracing
wscript.*
cscript.exe
mshta.exe
powershell.exe
powershell_ise.exe
cmd.exe
 
this covers .NET :D 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users