Fileless Malware Advisory

Number: AV19-151
Date: 17 July 2019

Introduction

The Cyber Centre has become aware of a fileless malware campaign affecting Microsoft Windows users that is currently gaining traction. The Astaroth malware, a notorious info-stealing malware known for stealing sensitive information like credentials, keystrokes, and other data, resides solely in memory and is much more difficult to detect than traditional malware.

The purpose of this advisory is to bring heightened awareness to the increase in the detection and identification of fileless malware, including Astaroth. The advisory provides an overview of fileless malware, the commonly used infection vectors and potential mitigations.

Overview

Fileless malware was first discovered in the wild in the early 2000s and multiple security researchers are reporting that it remains popular method of attack by cyber adversaries. They use the malware because it has low observable characteristics (LOC) and it evades common security methods. The malware usually takes advantage of default applications to mask its malicious activity. Furthermore, the original infecting executable typically does not remain on the system’s hard-drive. Although it is unlikely to prevent all infections, these attacks can be prevented by organizations implementing strong IT Security practices that, when used together, will minimize the risk of fileless malware attacks.

Analysis of Infection

The initial infection usually involves tricking the user into opening an infected file or visiting a malicious website. Although this is typical from malware attacks, the payload will not create files on the device’s hard-drive but instead it will reside only in memory. The next stage of the attack varies but often includes attempting to create entries in the device’s registry for persistency or attempting to load commonly used processes such as PowerShell or Windows Management Instrumentation (WMI). Afterwards, the infected machine may attempt to propagate on other connected devices, attempt to download additional malware on the infected device, and attempt to download and execute scripts.

Potential Infection Vectors

1. Physical transfer
   Attack vector: A user connects an infected device or media into a device.
2. Social Engineering (Phishing)
   1. Infected links
      Attack vector: A user interacts with a link to a malicious website in an email.
   2. Infected attachments
      Attack vector: A user interacts with a link to a malicious website in a document.
3. Web application
   Attack vector: A malicious actor leverages a weakness in a website to inject and execute code on any user that happens to visit the website.

Potential Mitigations

1. Patch and upgrade management, including staying up to date with vendor issued security advisories and application releases.
2. Architect a layered IT defense environment including hardening of end points and disabling non-essential applications and services.
3. Strong user awareness including encouraging users to report suspicious activity and implementing cyber security training.
4. Log management including regular reviews of system logs, server logs and performing regular audits.

Additional Resources

For more information on baseline cyber security controls:

https://cyber.gc.ca/sites/default/files/publications/Baseline%20Cyber%20Security%20Controls%20for%20Small%20and%20Medium%20Organizations.pdf

For more information on protection of your data:

https://cse-cst.gc.ca/en/top10

Disclaimer

Readers should not consider any advice and guidance contained within this report as comprehensive and/or all encompassing. All risks related to the cyber security of information technology systems are the responsibility of system owners.

Note to Readers:

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.