Fileless Attack Vector
A new malware vector, using a sophisticated fileless method of infecting machines, has been documented by Morphisec.
This new attack is targeting restaurants and begins with a phishing email containing an .rtf file attachment. When the attachment is opened and double-clicked a convoluted series of steps is taken:
- The PowerShell script executes a child PowerShell process which executes a second PowerShell process.
- The second PowerShell process injects shell code into itself.
- The shell code uses dnsapi.dll to query for a series of A records from the attacker's domain.
- The data returned from the series of DNS queries is appended to a buffer and eventually decrypted
- The decrypted buffer is altered by removing the MZ prefix from the code, This prefix may indicate that the code is a DLL and is removed to help hide it from memory scanning tools.
- The decrypted buffer has been identified as Cobaltstrike Meterpreter, a tool used by many pen testers and malware authors.
This highly sophisticated process shows how the strategies used by malware authors can rapidly change and evolve in order to evade detection.