In memory attacks leave few artifact for antiviruses to pick up on
In memory attacks leave few artifact for antiviruses to pick up on

A new report from SentinelOne has documented the rise of in-memory attacks. The evasive, fileless tactics are apparently eluding antivirus systems.

SentinelOne's most recent Enterprise Risk Index catalogues threats that presented themselves in the second half of 2016. Unlike many other reports, the Index collects data from the endpoint, not the gateway and its detections are focused more on behaviour, providing a rare image of the threat landscape. With this in mind, note the report's authors, “we won't be announcing what the top malware family is”.

Its most recent conclusions highlight in-memory attacks as particularly prevalent in the second quarter of 2016.

As per their title, in-memory attacks work only by exploiting their victims existing OS and running their attacks directly from within memory.  One tactic harnesses files like cmd.exe and uses them as the payload platform. Another, WMI persistence, was first discovered in the investigation on Stuxnet and used in the “election hack” on the Democratic National Committee.

In memory attacks seem well suited to nation state backed groups, who the report notes, aim to “place zero or as few new artifacts on the file system as possible to minimise the potential for detection by enterprise security controls.”

Such attacks leave no remnants on a victim's file system, affording attackers a greater opportunities for evading security systems. Andy Norton, risk officer, EMEA at SentinelOne explained to SC Media UK that, “An in-memory attack places few or no new artefacts of an attack onto the file system of the victim. The reason for this is that many defensive security tools are focused on determining the intent of new files by scanning them, or preventing new files from running on a locked-down system.”

These attacks doubled over the second quarter of 2016, along with a corresponding decline in attacks with traditional .exe-based attacks. More and more cyber-crime authors are looking to emulate these tactics as well, the report notes, such as Angler EK, Phasebot and Powersniff.

Norton added, “these in-memory attacks are growing in number, as more cyber-criminals adopt the tactics and tools of the more sophisticated threat actors that have previously used this strategy to evade defence-in-depth security initiatives of target organisations.”

The report also notes the intensification  of development between ransomware strains. Again, Norton told SC, “clearly cyber-criminals are being successful in infecting devices and their victims, in sufficient numbers, are paying the ransom.”

It is that simple fact, added Norton, which “is encouraging developers to produce ransomware variants to sell to criminal groups and individuals who are then choosing this type of payload over others or are simply adding a ransomware payload to their infections.”