• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Analyzing a Fileless Malware Loader

October 15, 2020 By Trevor Collins

Thanks to WatchGuard’s Panda Adaptive Defense 360 zero-trust service, WatchGuard Threat Lab was able to identify and stop a sophisticated fileless malware loader before execution on the victim’s computer. Upon further detailed analysis by our attestation team, we identified several recent browser vulnerabilities that the malware targeted as part of its exploit chain.  

Malware Behavior 

The attack that WatchGuard Threat Lab analyzed lived fully in memory, making use of JavaScript [T1059.007] and PowerShell [T1059.001] to execute malicious actions. Advanced attacks like this one, that doesn’t leave artifacts on the victim’s storage drive, can evade many anti-virus engines easily by living in the computer memory out of their reach. 

The attack started with a drive-by compromise [T1189] that used JavaScript embedded in a malicious website. Because web browsers run JavaScript automatically, the attack didn’t require any user interaction aside from them just visiting the site. The website itself was hosted on a domain that the threat actors appeared to set up just to host the attack. 

When the victim lands on the site, the JavaScript executes an encoded PowerShell script that uses the ReflectivePEInjection module from the popular Powersploit [S0194] attack framework. The ReflectivePEInjection module loads executables and libraries into a running process on the victim’s computer [T1055.002], hiding the malware from defensive tools that don’t keep an eye on existing applications. In this case of this attack, the PowerShell script contained three encoded Portable Executable binaries. Each of the binaries exploited a different privilege escalation vulnerability to expand the malware’s capabilities.  

  • CVE-2020-1054 is a memory corruption vulnerability in the Windows kernel-mode driver that handles bitmap image files that enables privilege escalation [TA0004] to SYSTEM level. The attack triggers the vulnerability by creating a bitmap image and changing pixels outside of its memory bounds, enabling the attacker to write into the memory of the driver module and execute shellcode at SYSTEM level privileges.  

 

  • CVE-2019-1458 Is a similar privilege escalation vulnerability in the same Win32k Windows driver. This exploit uses calls to the undocumented NtUserMessageCall API and simulated keypresses to cause memory corruption in the window switching functionality. Based on the code we analyzed, the malware copied a publicly available proof of concept to use in their script.  
  • CVE-2019-0808 is yet another privilege escalation vulnerability in the Win32K Windows driver. This exploit attempts to install a file with elevated privileges. While researching this exploit we also found CVE-2019-5786 used in tandem with the elevation of privilege exploit. CVE-2019-5786 is a sandbox-escape vulnerability in Google Chrome which enables the attacker to interact with the rest of the victim’s running processes. Based on this, we believe older versions of Chrome could be vulnerable when attacked with this malware if the site changes the initial exploit based on the browser used to visit the site.  

 

 

Prevention 

If any of these exploits succeed, the threat actor now has privileged access to the victim’s computer. With that access, they can download other malware like botnets or remote access trojan and potentially move laterally behind the network perimeter. In order to detect and prevent similar attacks, organizations should implement the following recommendations.  

Implement Strong EDR 

Endpoint Detection and Response software actively monitors process behavior in real time to identify suspicious and malicious behaviors and indicators of compromise. Use EDR paired with strong Endpoint Protection (EPP) that analyzes all files, watches existing process memory, and provides 100% attestation for malware or goodware.   

Layer Defensive Tools That Can Identify and Block Malware Command and Control 

No single layer of defense can block all malware and intrusions. In addition to EDR, layer your security with other services like DNS firewalling and IPS that can detect and block botnet command and control (C&C) connections. Tools that block C&C are a strong last line of defense in the event of an infection, limiting the ability for the malware to function or spread. 

Indicators of Compromise 

Domains: 

  • Judgementinvincible[.]com 
  • Speedjudgementacceleration[.]com 

Files MD5s: 

  • B338E9E5EFA8AEDBDA533EEFF01871FF    
  • 694398D10C925A92DC51932D412F9514   
  • 7B40AA57E1C61ECD6DB2A1C18E08B0AF  

Share This:

Related

Filed Under: Editorial Articles, Featured, Research Tagged With: exploits, fileless malware, Threat Hunting

Comments

  1. Bruce Briggs says

    October 16, 2020 at 1:49 pm

    “No signal layer of defense”
    should be
    “No single layer of defense”

    Reply
    • Trevor Collins says

      October 23, 2020 at 2:30 pm

      Corrected

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • SolarWinds Catch-Up
  • Don’t Fall Victim to the Most Common Wi-Fi Deployment Mistakes
  • Is EMOTET Really Gone Forever?
  • Identity Management and Risk Authentication: Core Technologies to Achieve Zero-Trust Security

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • RIPE for the Taking
  • Oldsmar Water Treatment Plant Hack
  • So Confused
  • Is EMOTET Really Gone Forever?
  • CacheFlow
View All

Search

Archives

Copyright © 2021 WatchGuard Technologies · Privacy Policy · Terms of Use