Analyzing the Popularity of Malware-Free CyberattacksDetection Evasion, Easy Access to Credentials, Code Bugs are Key Factors
A majority - 62% - of cyberattacks detected in 2021 were malware-free, according to CrowdStrike's 2022 Global Threat Report.
Examining Malware-Free and Fileless Malware
A discussion of malware-free attacks often overlaps with the topic of fileless malware, and the two terms are often used interchangeably.
While some people say there's a difference between the two, others regard malware-free and fileless malware are one and the same, Scott Jarkoff, director of the strategic threat advisory group at CrowdStrike, tells Information Security Media Group.
It's common to hear fileless malware referring to malware that is executed entirely in the RAM. As there are no files being written onto the disk, traditional antivirus and endpoint security tools do not have anything to scan, simply because there isn't an actual file on the disk.
Both fileless malware attacks and malware-free attacks are associated with "living off the land" attack techniques, Jarkoff says.
In a "living off the land" attack, threat actors use resources already installed on targeted systems - most commonly through malicious scripts in the Windows registry.
Malware-free attacks, in addition to targeting native operation system tools, could target legitimate third-party tools that exist on the endpoint and are used by adversaries for malicious purposes.
While administrators use a whole host of domain administrative tools to ensure networks remain operational, adversaries use the same tools because they exist on the network to enumerate Active Directory objects. "This helps them understand and map out the network where they need to get to in order to achieve their ultimate goals," Jarkoff says.
Malware-free Cyberattacks: A Case Study
CrowdStrike's 2022 Global Threat Report includes a use case detailing how the Russia-based Wizard Spider ransomware group - infamous for the creation and deployment of TrickBot - targeted an undisclosed engineering firm.
According to the report, the intrusion spanned across four domain controllers and involved two legitimate accounts.
The TTPs observed by Falcon OverWatch, CrowdStrike's managed threat hunting service, were consistent with Wizard Spider's modus operandi.
OverWatch's threat researchers found that the ransomware group used Microsoft RDP for authentication and gained access to the Windows domain controller via a valid domain account.
Wizard Spider leveraged the system's native utilities BITSAdmin and Rundll32 to download and execute offensive security tooling. BITSAdmin is a command-line tool used to create download or upload jobs, and Rundll32.exe is used to launch Windows Dynamic Link Libraries or DLL files.
MITRE ATT&CK identifies Rundll32.exe as a backdoor vulnerability that can be used by threat actors to obscure malicious code from analysis.
The report says threat actors were able to maintain persistence over long periods of time by creating a scheduled task to execute the payload, ShellStarter.exe.
This stage was followed by lateral movement using RDP to access the second domain controller using legitimate credentials. It then used Windows NT Directory Services to harvest credentials.
AnchorDNS, a Wizard Spider tool, was then able to communicate with the threat group's command and control center over DNS protocol. Wizard Spider was able to move laterally to the third domain controller by setting AnchorDNS to run as a service using native tooling.
An October 2020 Cybersecurity and Infrastructure Security Agency report shows that in early 2019, in the wake of a series of targeted attacks in the healthcare and public health sector, the FBI learned that new TrickBot modules called Anchor were being used by threat actors to attack high-profile targets.
AnchorDNS was created by TrickBot developers to send and receive data from the targeted systems.
The attack vector illustrates how the Wizard Spider ransomware group used almost all the tactics indicative of malware-free cyberattacks, including the use of valid credentials, leveraging native utilities, credential harvesting, persistence and lateral movement.
So, what makes malware-free cyberattacks so popular?
Flying Under the Radar
Just as cybersecurity firms are constantly evolving to shore up defenses against new and emerging threats, cybercriminals are conducting their version of DevOps to outsmart security measures.
Adversaries do their homework. They know what is going to work when they are targeting organizations, Jarkoff says. And malware-free cyberattacks have proven to be quite effective for criminals.
As endpoint defenses have improved their ability to identify and stop never-before-seen malware strains, threat actors have shifted to other techniques that don’t rely on installing conventional malware, says Mike Parkin, a former senior security specialist at the Federal Reserve Bank of San Francisco who is now an engineer at cyber risk remediation solutions provider Vulcan Cyber.
Malware-free techniques also help threat actors remain undetected longer says Jarkoff. The longer they remain undetected in a network, the better their chances are of exfiltrating mission-critical data - be it to deploy ransomware at a later point in time, or to carry out political or economic espionage.
Malware-Driven Attacks: A Race Against Time
In malware-driven attacks, as soon as malware is detected and flagged, the race begins to create automated detection systems to find it in other places in the organization's network, says Shawn Smith, director of infrastructure at Virginia-based application security provider nVisium.
He tells ISMG that malware usually has a short lifespan. Once deployed, the binaries that contain it are out there for anyone to evaluate, reverse-engineer and start working on early detection systems.
"Malware-driven attacks have to operate within a short window - from first use to when all its large targets will have detection and mitigation steps in place to stop it. It could still lock down the target, but once it's out there, the fish become scarcer in the pond," he says.
Jarkoff says that even signature-less malware is not foolproof, especially against next-gen endpoint detection tools, which are far more effective compared to traditional tools.
Easy Access to Credentials, Code Vulnerabilities
Hackers have increasingly focused on finding legitimate credentials and/or injecting backdoors into code, says Casey Bisson, head of product and developer relations at BluBracket, a Palo Alto-based code security solution provider.
It's the prime reason behind Gartner's prediction that by 2025, 45% of companies will have experienced an attack on their software supply chain.
Bisson says that in addition to phishing and credential stuffing, undisclosed backdoors, default credentials and vulnerabilities in code are some of the most heavily exploited chinks in the armor.
Explaining why code is the largest and least protected attack vector, he says hackers scour public code repositories looking for code vulnerabilities or credentials that give them initial access and evade tools that focus on malware detection. This, he says, is why companies are always "playing whack-a-mole with hackers."
Jarkoff says that threat actors use harvested credentials that can be easily obtained through underground cybercrime networks adding: "The reason behind the success of these attacks is that existing security tools have a hard time discerning the difference between legitimate and nefarious use of those tools."
With malware-free techniques, adversaries target organizations that are using legacy security tools - particularly legacy endpoint tools that cannot adequately deal with "living off the land" attack techniques, Jarkoff says.