Anatomy of a Fileless Attack: the New Cyber ​​Security Challenge

Fileless attacks are a good way to bypass traditional countermeasures. They rely on scripts executed directly in RAM and can be undetectable and persistent by modifying the Windows registry.

Security measures are improving to detect and block both malware and cyber attacks, forcing cybercriminals to look for new technological vectors and means to stay under radar cover and evade detection. One of these advanced techniques is fileless exploits, where no executable file is saved to disk. These attacks are particularly effective in evading traditional antivirus solutions, which scan for files stored in mass storage to analyze them and determine if they are malicious.

Find the best-advanced antivirus with data recovery features to protect your data from a fileless attack.

The increase in fileless attacks has created new challenges for traditional endpoint security solutions. Many of the so-called next-gen are outdated because they were designed primarily to detect file-based threats. While fileless attacks are not new, they are becoming more common. In their 2016 surveys, CrowdStrike Services incident response teams found that eight out of ten attack vectors that resulted in a successful breach used fileless attack techniques.

A Successful Attack on a Web Server via a Shell Script

In a white paper titled Who Needs Malware? How Adversaries Use Fileless Attacks To Evade Your Security, CrowdStrike, the endpoint protection service provider, dissects how these fileless attacks work, following a successful attack, step by step. In this case, the first target was a web server using Microsoft ISS and running a SQL Server Database. For the initial compromise, the attacker used a web shell, a short script that can be downloaded and executed on a web server. The script can be written in any format of the languages ​​supported by the webserver, such as Perl, Python, ASP, or PHP.

Web shells are popular in this type of attack because they can be loaded directly into memory by exploiting a vulnerability that exists on the system, without anything being written to disk. In this specific attack, the attacker used SQL injection to insert his web shell on the server. Because the webserver did not correctly check the escape characters, the attacker could simply return the web shell to the server. The web shell used, called China Chopper, contained JavaScript commands. A remarkably concise Shell, as it only used 72 characters. The execution of the web shell in memory allowed the attacker to use the Chopper user interface to execute arbitrary commands on the webserver. With full remote access to the webserver,

How to Get Persistence Through a Registry Key

The first step was to download a script from a remote server, load it directly into memory, and run it. This script, in turn, stole any clear text passwords that were cached in the web server's memory. Within seconds, the attacker had obtained multiple usernames and passwords for all accounts on the system. The next step was for the attacker to gain persistence on the server. To do this, he used a technique called Sticky Keys, which does not require any malware. By modifying a single line of the Windows registry, which can be done easily using a PowerShell or WMI command, the attacker used the registry key to display the Windows keyboard process on the screen in mode debugging.

In debug mode, the on-screen keyboard allows anyone with remote access to open a command line with system privileges, without having to log in, so without generating a login event. Once this registry key is set, the attacker can come back at any time by simply opening a Remote Desktop connection to the webserver. Also, accessing the system without generating a logon event in history makes the attacker's actions almost undetectable.