A series “fileless attacks” previously attributed to two different threat attackers are now believed to have been carried out by the same actor, from a single attack framework, Israeli security firm Morphisec reveals.
Starting on March 8, Morphisec researchers began investigating a new fileless attack carried out via a macro-enabled Word document attached to a phishing email that targeted high-profile enterprises. Their investigation led them to the discovery of a sophisticated fileless attack framework associated with multiple recent campaigns.
Last month, Kaspersky Lab uncovered a campaign comprised of more than 140 attacks aimed at banks, telecom companies and government organizations in the United States, the United Kingdom, France, Ecuador, Kenya, Brazil, Spain, Israel and 32 other countries. Common to these attacks was the use of PowerShell scripts to store the malicious code in memory and avoid leaving traces on the compromised machines.
In early March, Cisco detailed a so-called DNSMessenger attack, where threat actors were using a malicious Word document and a PowerShell RAT that could communicate with the command and control (C&C) servers via DNS requests. This sophisticated attack was also completely fileless and invisible to most standard anti-malware defenses.
Another recently spotted fileless attack was installing a PowerShell backdoor dubbed POWERSOURCE onto infected computers, which FireEye linked to a threat group called FIN7. The actor has been targeting organizations in the United States, focusing on personnel that handle filings to the Securities and Exchange Commission (SEC).
According to Morphisec, all these attacks are actually linked to each other, and all had been leveraging the same fileless attack framework that the security company managed to access. In fact, the company says that the same threat group is responsible for all of the attacks.
“Based on our findings, a single group of threat actors is responsible for many of the most sophisticated attacks on financial institutions, government organizations and enterprises over the past few months,” the security researchers reveal. What Morphisec doesn’t say, however, is who these actors are.
The security researchers even had a brief encounter with these actors, “via the very same PowerShell protocol used for the attack delivery,” which revealed that the hacker was part of an organization targeting specific companies. Following the encounter, the cybercriminals shut down the C&C server, which might have resulted in the loss of foothold in the systems connected to that server.
Similar to previously described campaigns, the attack uses a weaponized Word document that delivers a PowerShell agent capable of opening a backdoor and establishing persistency. In most cases, the actors then move to delivering different PowerShell commands through the C&C, depending on the target.
“For some targets, the attack was fully fileless, eventually delivering a Meterpreter session directly to memory. In other cases, the password-stealer LaZagne Project or another Python executable was delivered and executed. After additional investigation, we identified controllers for different protocols including Cmd, Lazagne, Mimikatz and more,” Morphisec explains.
The malicious Word document claims to be protected and asks the potential victims to enable the content to view it, which allows the macros to run. The included PowerShell executes using Windows Management Instrumentation (WMI), a technique already adopted by various malware families to evade detection.
After several decryption stages, the decrypted PowerShell is saved to the disk. The script observed in one attack was found to be an agent capable of receiving commands from the C&C, execute them and return the results. The malware was also found to lower Office’s macro restrictions to allow for other macro-based documents to be automatically executed.
“In the course of our research the attacker briefly interacted with us. It was clear that a person from the other side was waiting to connect on his Meterpreter session. During the brief interaction, our researchers tried to identify the actor. The attackers immediately blocked the connection and later shut down the C&C server entirely, thereby losing their foothold in the systems of victims connected to that communication server,” Morphisec says.
The security researchers note that the fileless attacks are on the rise and could prove a bigger problem than currently believed. Because the malware resides solely in the memory and commands are delivered directly from the Internet, there is no executables on disk, making the attack basically invisible.