InvestorsHub Logo
Followers 5
Posts 2767
Boards Moderated 0
Alias Born 09/06/2006

Re: None

Monday, 01/28/2019 9:20:36 PM

Monday, January 28, 2019 9:20:36 PM

Post# of 249118
Fileless Infection Steals Creds with Bank Trojan

https://www.infosecurity-magazine.com/news/fileless-infection-steals-creds?utm_source=twitterfeed&utm_medium=twitter

A new variant of the password-stealing Ursnif bank Trojan has been found in the wild delivering fileless infections while remaining undetected, according to Cisco Talos Intelligence.

In a blog post, researchers wrote that the banking Trojan employs "fileless persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic. Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop.”

Researchers received an alert containing a malicious VBA macro coming from a Microsoft Word document that asked users to enable macros. Once enabled, PowerShell is executed and then another PowerShell command downloads the Ursnif malware.

Registry data is then created for the next stage of execution in which the command executes PowerShell using Windows Management Instrumentation Command-line (WMIC). Among the APIs imported from kernel32 were GetCurrentProcess, VirtualAllocEx, GetCurrentThreadID, QueueUserAPC, OpenThread and SleepEx, according to the blog.

Though researchers identified a list of files dropped, they also noted, “Filenames are hardcoded in the first PowerShell command executed, and vary by sample. This means that these indicators aren't necessarily malicious on their own as filenames might collide with benign ones. If found with other indicators, it's likely a Ursnif infection.”

An extensive list of malicious documents and C2 server domains were also listed among the indicators of compromise.

"This is just the latest example of how antivirus and signature-based security tools are easily bypassed by creative hackers. There are hundreds of sophisticated hacker tools readily available that can be morphed into endless numbers of new-looking attacks with new signatures that aren’t recognized,” said Ray DeMeo, co-founder and COO, Virsec.

“We need to assume these threats will continue to get through and focus on stopping what the attackers are trying to achieve – corrupting applications, stealing valuable data or causing business disruption. We need to move beyond endless threat chasing to definitively protect the crown jewels – critical applications and infrastructure."
==================================================================
This article just illustrates some of what Wave has been saying about malware (see underline/bold below) and a great solution to combat the problem is Wave Endpoint Monitor!
==================================================================
https://www.wavesys.com/malware-protection

Software can’t always detect malware

The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.

A further challenge for anti-malware software is that it commonly works at the OS level. It isn’t very good at seeing deeper into the system, where some malware lives. Malware can hide from anti-malware by feeding it false results as it lies lower in the stack.

APT's extent seems wider each week. News stories about targeted attacks on organizations appear weekly. Even more stories do not appear, as some malware is not detected for very long periods of time. Some malware described as "cutting edge" has code components that have been available for 3 and 4 years, thus dating their undetected time of life in the wild. With online tools, even a non-technical person can create one easily. And there are more ways than ever for malware to spread: the Internet, personal computing devices, downloads, email, social media sites. Government agencies recognize it as a growing threat. Early detection is the highest priority in this Cyberwar. In 2011 NIST published guidelines for establishing a chain of trust for the basic input/output system (BIOS), which initializes a computer when it boots up. This critical system is one of malware’s more consequential targets and an area specifically protected by Wave Systems in its products and in its thinking.

Wave’s solution: start with the device

If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.

Which other attack vector should you watch? One common vector that is used to attack even the most secure networks is physical devices – connected to USB, FireWire or SD. Our Data Protection Suite AV scanner allows you to block any unscreened device from connecting to any machine in the organization, until it has been scanned for known malware.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor

Detect attacks before it’s too late

Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.

Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.

An open standard means Wave works with everything

Wave Endpoint Monitor works on your existing hardware, across platforms. That’s because our solutions are based on an open standard that’s already been implemented on many laptops and is now working its way onto mobile devices. We’re talking about those TPMs. We just don’t think that expensive new equipment and vendor lock-in are great selling points.

Be proactive on compliance

No new regulations here—yet. But government agencies recognize malware as a growing threat. In 2011, NIST published guidelines for basic input/output system (BIOS) integrity measurement, the BIOS being what initializes a computer when it boots up. When this critical system is malware’s target, the consequences are big. The guidelines describe what’s needed to establish a chain of trust for the BIOS: Has it been tampered with? NIST actually looked to Wave for feedback on this document (see the acknowledgments). We know what’s needed, because Wave Endpoint Monitor is already doing it.

Key Features:

Easy security compliance
• Comports with NIST guidelines for BIOS integrity

Data protection
Ensures that you can trust the integrity of your measurements for central analysis
Real-time alerts for zero-day detection of APTs
• Get Windows 8 Malware protection now—WEM covers previous versions of Windows

Simplicity
• Uses standards-based security that’s in every PC you own
• Measurement notifications and reports can be customized for your processes and work flows
Centralized, remote activation and management of your TPMs
• E-discover which PCs in your organization are enabled for endpoint monitoring

No compromises
Ensure host integrity—without expensive hardware or excessive administrative overhead

Windows 8 Tablet Compatibility
• Get the same device integrity assurance on Windows 8 Pro & Enterprise tablets that you want for your enterprise PCs - with Wave Mobility Pro - Tablet Edition














Join the InvestorsHub Community

Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.