Chapter 1 - 03 - Define Malware and its Types - 22_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Reasons for Using Fileless Malware in Cyber Attacks “p P 4 Stealthy in Trustworthy nature Exploits legitimate Exploits default Uses tools that system tools system tools are frequently used and trusted All Rights Reserved. Reproduction i Strictly Prohibited Reasons for Using Fileless Malware in Cyber Attacks The various reasons for using fileless malware in cyber-attacks are as follows: = Stealth: Fileless malware exploits legitimate system tools; hence, it is extremely difficult to detect, block, or prevent fileless attacks. * LOL (Living-off-the-land): System tools exploited by fileless malware are already installed in the system by default. An attacker does not need to create and install custom tools on the target system. * Trustworthy: The system tools used by fileless malware are the most frequently used and trusted tools; hence, security tools incorrectly assume that such tools are running for a legitimate purpose. Module 01 Page 101 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 BN () Phishing emails Infection through lateral Registry manipulation movement Native applications Malicious websites Fileless Propagation Techniques * Phishing emails: Attackers use phishing emails embedded with malicious links or downloads, which, when clicked, inject and run malicious code in the victim’s memory. = Legitimate applications: Attackers exploit legitimate system packages installed in the system, such as Word, and JavaScript, to run the malware. = Native applications: Operating systems such as Windows include pre-installed tools such as PowerShell, Windows Management Instrumentation (WMI). Attackers exploit these tools to install and run malicious code. * Infection through lateral movement: Once the fileless malware infects the target system, attackers use this system to move laterally in the network and infect other systems connected to the network. = Malicious websites: Attackers create fraudulent websites that appear legitimate. When a victim visits such a website, it automatically scans the victim’s system to detect vulnerabilities in plugins that can be exploited by the attackers to run malicious code in the browser’s memory. = Registry manipulation: Attackers use this technique to inject and run malicious code directly from the Windows registry through a legitimate system process. This helps attackers to bypass UAC, application whitelisting, etc., and also infect other running processes. = Memory code injection: Attackers use this technique to inject malicious code and maintain persistence in the process memory of the running process with the aim of propagating and re-injecting it into other legitimate system for normal Module 01 Page 102 system operation. This helps in bypassing processes that are critical regular security controls. The Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 various code injection techniques used by attackers include local shellcode injection, remote thread injection, process hallowing, etc. = Script-based injection: Attackers often use scripts in which the binaries or shellcode are obfuscated and encoded. Such script-based attacks might not be completely fileless. The scripts are often embedded in documents as email attachments. Module 01 Page 103 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Fileless Malware Example: Divergent O Divergent is a type of fileless malware that registry for the execution and storage of configuration data ; 1pString ~ It also employs a key in the registry to maintain ersistence and exploits PowerShell to inject itself on to the other processes Copyright © by EC L. All Rights Reserved. Reproduction ks Strictly Prohibited Fileless Malware Example: Divergent = Divergent Divergent is a type of fileless malware that exploits NodelS, which is a program that executes JavaScript outside the browser. Using Divergent fileless malware, attackers generate revenue by targeting corporate networks through click-fraud attacks. It strongly depends on the registry for the execution and storage of configuration data. Furthermore, it employs a key in the registry to maintain persistence and exploit the PowerShell to inject itself into the other processes on the infected machine. If the infected process is running with the required privileges, it exploits WMI to gather information related to antivirus software such as Windows Defender installed on the target system. If Windows Defender is installed on the target system, it automatically disables various components of Windows Defender and Windows Updates. After infecting the system, it bypasses UAC through CMSTP.exe (Microsoft Connection Manager Profile Installer) and steals critical information from the victim through URLs. Module 01 Page 104 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Threats and Vulnerabilities Exam 212-82 Divergent_send 1pString= C2_beacon_and_sleep dword ptr ebp push call [ebp+1pString] ds:1strlenf push push call [ebp+lpString] ds:off_7B662FC Divergent_send_HTTP_request call pop ds:Sleep ebp push add push retn near 8 push mov push push proc ; 1lpString X esp, 14h INFINITE Divergent_send C2 beacon_and sleep endp Figure 1.25: Screenshot of Divergent Module 01 Page 105 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.