Do you know what a non-malware attack is or how they differ from more traditional attacks? Do you know why they are so dangerous, or what you can do to prevent attacks? If not, don’t worry – you are not alone. Here you can find the answers to all of these
According to experts, non-malware attacks are on the rise. In fact, a recent study performed by the Ponemon Institute showed that 29 percent of all attacks that organizations experienced in 2017 were actually
Now, let's dive into non-malware attacks and how they are different from traditional attacks, as well as other, important information you need to know.
Non-Malware Attacks Explained
A non-malware attack, which is also referred to as a
The general idea behind this type of non-malware attack is actually simple – rather than dropping custom tools that could be flagged as being malware, a hacker uses the tools that are currently on the device. This is how the
The Process of a Non-Malware Attack
Usually, but not always, a non-malware attack will follow this chain of events:
A computer user visits a website that’s infected or opens an infected email
Then an exploit kit scans the computer for any vulnerabilities and uses them for inserting some type of malicious code into one of the Windows systems administration tools
The fireless malware will then run its payload in the available DLL and attack in the computer’s memory, which will hide in one of the legitimate Windows processes
The challenging part of
The Danger of Non-Malware Attacks
One of the biggest challenges that are posed by the
To better understand why this type of attack is so dangerous, it’s a good idea to look at some of the most recent incidents of these attacks.
One of the very first instances of a situation involving
Another known example of this type of attack is referred to as the UIWIX threat. Similar to Petya and WannaCry, UIWIX utilized the EternalBlue exploit. It does not drop any actual files on the disk. Instead, it allows the installation of something called the DoublePulsar backdoor, which lives in the kernel’s memory.
How Do the Non-Malware Attacks Actually Work?
Because the non-malware attacks use the pre-existing, default Windows tools, they can hide the malicious activity behind the real, legitimate Windows processes. This means that they become almost completely undetectable for the majority of anti-malware products.
The Primary Non-Malware Attack Targets
A hacker has to acquire quite a few resources to ensure their malicious activity remains undetected. This is why most
WMI – Windows Management Instrumentation
Based on the targets, the
4 Commonly Seen Types of Non-Malware Attacks
There are several variations and types of
filelesspersistence methods: This is when the malicious code is still running after a system reboot. For example, the malicious scripts may have been stored in the Windows Registry, and then re-start the infection after a reboot is done.
Memory-only threats: This type of attack executes the play load in the memory, which is done by exploiting the vulnerabilities present in the Windows services. When a reboot is done, the infection will disappear.
Dual Use tools: These will use the pre-existing system tools in Windows for various malicious purposes.
PE or non-portable file attacks: This type of attack is considered a dual-use tool attack. It uses real Windows applications and tools, along with WScript, CScript and PowerShell.
Techniques Used by Non-Malware Attacks
To execute a non-malware attack, a hacker will use various techniques. Some of the ones that are most frequently used for these types of attacks include:
WMI persistence: The WIM repository can be used to store malicious scripts that are able to be periodically invoked through WMI bindings.
Script based techniques: Some hackers use script files to embed the encoded shellcodes or the binaries without actually creating any type of file on the disk. The scripts are then decrypted while on the fly and then they are executed through .NET objects.
Memory exploits: This
filelessmalware has the ability to be executed and run remotely by using memory exploits on the victim’s machine.
Reflective DLL injection: A malicious DLL can become manually embedded in a process’s memory without any need to save the DLL’s on the disk. It can then be put into infected scripts or macros, or even hosted on a remote machine and then delivered through a type of staged network channel.
Now, it is time to learn how to protect against non-malware attacks.
5 Effective Ways to Protect Yourself Against Non-Malware Attacks
The experts have come up with several ways you can prevent and stop any instances of
Restrict any unneeded management framework
Disable all macros
Use the most innovative endpoint security solutions
Monitor any and all unauthorized traffic
Make sure all your devices are updated regularly
Make Sure You're Prepared
The fact is, the instances of
To stay ahead of this threat, make sure you hire professionals who are up to date with the latest threats. They are your first line of defense when it comes to protecting your company and its information. Don't be caught without the proper resources because you will lose more than just data; you could also lose the trust of your consumers. Contact ICS now to find the people you need to identify where your weaknesses are and how to fix them.