Fileless, zero-footprint cyber attacks on the rise

Read time 3min 10sec
Malware authors are adding coin mining features to their tools, even if the primary aim isn't coin mining.
Malware authors are adding coin mining features to their tools, even if the primary aim isn't coin mining.

One hundred percent of attacks prevented By Morphisec in Q1 used at least one fileless technique. These attacks include adware, says the company, which specialises in so-called moving target defence technology.

In addition, of the non-adware attacks, approximately 36% were completely fileless.

With fileless or zero-footprint attacks, threat actors don't need to place malware on a system to gain access. They use legitimate applications or even the operating system. These attacks evade whitelisting, and according to a Ponemon Institute report, are ten times more likely to be successful.

This was one of the findings of the Q1 2018 Morphisec Threat Report. It analyses comprehensive threat data collected from approximately 750 000 endpoints protected by Morphisec across the globe between 1 January and 31 March, and highlights key trends and changes in the attack landscape, as well as details on specific attack techniques and tactics used.

Slipping through the net

The first quarter of this year saw a surge of new cyber threats and vulnerability discoveries, over and above the expected variants of old favourites such as Corebot, Gamarue, Emotet and Kovter.

The report revealed a significant uptick in banking Trojan attacks, with attacks of this nature representing more than one-third of all non-adware attacks in Q1. Emotet emerged as the top banking malware.

In addition, although Q1 saw a decrease in the number of ransomware attacks, Morphisec says these attacks remain a significant threat to businesses, as new strains are being developed all the time, with some, such as GandCrab and Samsam, employing sophisticated techniques to slip through the security net.

North Korea a major threat

More and more, Morphisec is seeing malware authors adding coin mining features to their tools, even if the primary aim isn't coin mining.

In terms of payload delivery methods, the company says these have become increasingly sophisticated, with CryptoNight the most widely used mining algorithm in Q1.

"While threat attribution can be difficult, it is clear that North Korea has become a major threat player. In addition to RokRAT and Flash Player zero-day attacks, various other attacks have been linked to the North Korean government and its affiliates."

Anti-forensic techniques

The report also uncovered more sophisticated anti-forensic techniques being integrated into the live malware samples, as well as advancements in the ability to detect and bypass virtual machine isolation environments and security products.

Morphisec says it found abundant evidence that the cyber attack pipeline is growing increasingly efficient and faster. "Sophisticated attack technology moves quickly from nation states to cybercriminal groups and filters down to mass-market exploit kits in a matter of days."

Nation states have the resources to uncover zero-day vulnerabilities and develop techniques to exploit them. Cyber criminal groups reverse engineer patches, or develop their own exploits. From there, it's child's play to add the vulnerability to exploit kits for sale and use on the criminal underground market.

A raging battleground

There's an ongoing battle between those who defend businesses, and those who want to disrupt business, concludes Morphisec. Cybersecurity sits in the middle of this battleground, bringing solutions and tools that serve as a businesses' last line of defence against targeted cyber attacks.

"It's challenging to keep up with threats that evolve quickly, especially those that are architected to apply speed to infiltration, and conceal methods of data exfiltration."

See also