6th May: Old Enemies hiding in New Places: Fileless Malware +++ Happy Patch-Day, Android!

Old Enemies hiding in New Places: Fileless Malware

Attackers have found a creative new way of challenging cyber safety on a daily basis – using event logs to hide fileless malware. Kaspersky researchers published a report on the new malware campaign last Wednesday. Let’s take a closer look:

The unusual thing about the campaign was the technology that does not use any data – at all. The attackers behind the campaign apply a range of injection tools and anti-detection techniques to deliver the malware payload. „With at least two commercial products in use, as well as multiple types of RAT and anti-detection wrappers in the final stage, the actor behind this campaign is quite capable,“ Legezo concluded.

What does fileless malware mean?

As the name suggests, fileless malware infects targeted computers leaving behind no artifacts on the local hard drive, thus making it easy to sidestep traditional signature-based security and forensics tools. The ability to inject malware into systems’ memory classifies it as “fileless”. The technique, where attackers hide their activities in a computer’s random-access memory and use a native Windows tools such as PowerShell and Windows Management Instrumentation (WMI), isn’t new though.

So what is actually new about the attack?

The answer lies in how the encrypted shellcode containing the malicious payload is embedded into Windows event logs. To avoid detection, the code “is divided into 8 KB blocks and saved in the binary part of event logs.”

Let’s take a look at the attack phases that Kaspersky detected:

  1. The attacker redirects the user to a legitimate website where they download a RAR file using CobaltStrike tools.
  2. Through CobaltStrike and SilentBreak, attackers can inject code into any process and inject additional modules into Windows system processes or trusted application.

So what do we do now?

Even though fileless malware attacks leave their traces, they are hard to detect and even harder to prevent. There are some steps you can take to put yourself on the safer side:

  • secure your endpoints – we can help you with that!
  • monitor your traffic from applications and on the network
  • uninstall unused or non-critical applications
  • disable all functionality in applications that you don’t explicitly need
  • configure the use of PowerShell to be as secure and limited as possible

And in case of an attack:

  • try rebooting the system to stop a fileless attack
  • and change the systems‘ passwords.

If you want to go more into detail on the topic, take a dive into our trusted source material:

Attackers Use Event Logs to Hide Malware | Threatpost

A new secret stash for “fileless” malware | Securelist

Fileless Malware: Schädlicher Code in Windows Event Logs | IT Management

Dateilose Malware | Computer Weekly

Happy Patch-Day, Android!

It was about time for some good news! And boy, do we have them: Google has just released new patches to known vulnerabilities. Updates are available for Android 10, 11, 12 and 12L. Most of the vulnerabilities patched are considered of “high” risk, only one is considered “critical”. So if you are an Android user: before you scroll any further, please update your phone right away!

And in case you are interested in a little extra money: Google pays up to 1 million dollars for newly found vulnerabilities!

What has been patched?

A total of 37 vulnerabilities became known earlier this year. All of them are supposed to be patched with the newest release. Affected components range from Bootloader to Display to Kernel. The kernel related issue relates to a double-free vulnerability residing in the Packet network protocol implementation in the Linux kernel that could cause memory corruption, potentially leading to denial-of-service or execution of arbitrary code. You can find a complete list here:

Android Security Bulletin—May 2022  |  Android Open Source Project

Become a cyber bounty hunter!

Ever wondered how Google finds vulnerabilities? By inviting cyber bounty hunters to try and find vulnerabilities in their products. The according program has been running successfully for a few years now. Users are encouraged to find and, most importantly, to report vulnerabilities in all Google products. There even is a list of rewards, depending on features and products the vulnerabilities are found in. Up to 8.7 million dollars in reward money have been spent by Google in 2021 alone! Definitely a very clever investment. Hackers put their talents to positive use, Google is informed about vulnerabilities immediately after detection and users get patches. A win-win-win scenario!

So what do you have to do now?

In case you haven’t done so already: If you are using Android devices, check your settings for the update and install it as soon as possible. And in case you have some hacking skills yourself, check out the Google Bug Hunter website: Security Reward Program Rules | Google Bug Hunters

We won’t even ask for a referral fee in this case. Just send over a box of sweets and we’ll know you got one! Until then – happy patching and see you next week!

As always, for a deep dive, see our source material:

Google Releases Android Update | The Hacker News

Google fixes actively exploited Android kernel vulnerability | BleepingComputer

Pixel Update Bulletin – May 2022  |  Android Open Source Project

Android and Google Devices Security Reward Program | Google Bug Hunters

Google offers 50% higher bounties for bugs in Android 13 Beta | Help Net Security

Google Doubles Rewards for Nest and Fitbit Vulnerabilities | SecurityWeek.Com

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.