A newly uncovered cyber-espionage campaign targeting Israeli organisations relies on "fileless" malware hidden in Microsoft Word documents, a hacker tactic that's becoming a growing menace.
The attack was delivered through compromised email accounts at Ben-Gurion University and sent to multiple targets across Israel.
Malware from a "fileless" attack is so-called because it resides solely in memory, with commands delivered directly from the internet. The approach means that there's no executable on disk and no artefacts ("files") for conventional computer forensic analysis to pick up, rendering the attacks stealthy, if not invisible. Malware infections will still generate potential suspicious network traffic.
The attack was delivered via Microsoft Word documents that exploited a former zero-day vulnerability in Word, CVE-2017-0199, by actually reusing an existing PoC that was published immediately after the patch release. Microsoft released the patch for the vulnerability on April 11, but many organizations have not yet deployed the update. The delivered documents installed a fileless variant of the Helminth Trojan agent.
Such fileless attacks are on the rise. Security vendors Carbon Black recently reported a 33 per cent rise in severe non-malware attacks in Q4 2016 compared to Q1. In-memory attacks doubled in comparison to the infection rates of file-based vectors, according to a study by another end point security vendor SentinelOne.
Use of the fileless malware tactic, first spotted more than five years ago but only becoming really fashionable over the last year, extends beyond state-sponsored cyber-espionage. For example, Kaspersky Lab warned earlier this month about of fileless attacks against banking networks. The attack was geared towards robbing money from cash machines (ATMs).
"Fileless malware is being used in attacks by both targeted threat actors and cybercriminals in general – helping to avoid detection and make forensic investigations harder. Kaspersky Lab’s experts have found examples in the lateral movement tools used in the Shamoon attacks, in attacks against Eastern European banks, and in the hands of a number of other APT actors," Kaspersky Lab said earlier this week in a review of the cyber-threat landscape. ®