FBI Warns of Banking Trojan That Eludes Antivirus as Fileless Malware Attacks Rise

The Federal Bureau of Investigation (FBI) has released information to help federal, state, local, and private sector organizations protect themselves against the Osiris Banking Trojan and fileless malware attacks. Fileless malware is a growing threat to the banking industry requiring sophisticated techniques to protect systems against cyber-criminal activity. The Osiris Banking Trojan, which is an upgraded version of the Kronos Banking Trojan, uses two fileless techniques, making it more difficult to detect using standard antivirus software. Its added features and enhanced functionality allow cyber criminals to gain remote access to financial customer profiles and cause the malware to be more effective in stealing funds.

Fileless Malware Attacks on the Rise

Based on reporting from a private security firm, between January and June 2018, fileless malware intrusion detections have increased 94 percent. Fileless malware operates partly or entirely from the computer’s memory without placing malicious executables on the underlying file system. Using phishing and spearphishing as an initial vector, it can bypass the file system by loading and executing malicious code directly in memory, storing malicious scripts in the registry, or using legitimate system administration tools such as PowerShell.

Standard antivirus software detects malware by scanning the file system for files sharing characteristics with known malware, files which are variants of known malware “families” or are related to known malware by a common code base, and suspicious system behavior or file structures. Given the characteristics of fileless malware, most antivirus programs are unable to detect it on victim machines.

The Osiris malware, sold as a Malware-as-a-service worldwide, combines two fileless techniques, Process Hollowing and Process Doppelgänging, which enable the malware to compromise legitimate software as it infects a targeted system. One of the techniques, Process Doppelgänging, which became public in December 2017, affects all versions of Microsoft Windows and bypasses most antivirus software. Process Hollowing occurs when a process is created in a suspended state, after which its memory is unmapped and replaced with malicious code. The execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis.

Technical Details of the Osiris Banking Trojan

Technical analysis on Osiris code shows the following: (Directory comparison between Osiris and Kronos)

Number of subdirectories: 87

Number of equal files: 309

Number of different files: 883

Osiris contains a new table called `cclogs`, `browser_passwd`, `cc_data`, `running_jobs`; Once a victim’s machine is infected, Osiris runs a SOCKS/proxy server on the machine. Those credentials are reported back to the Osiris C&C to store that information. Osiris has the following features activated or deactivated;

define(“RVNC_ENABLED”, FALSE); //Reverse VNC

define(“SOCKS_ENABLED”, FALSE); //Socks

define(“KLOG_ENABLED”, TRUE); //Key Logger

define(“EMAIL_SPREAD_ENABLED”, FALSE); //Email Spread

define(“RHVNC_ENABLED”, FALSE); //Reverse Hidden VNC

define(“TV_ENABLED”, FALSE); //TeamViewer

define(“HVNC2_ENABLED”, FALSE); //HVNC2

Recommendations

The FBI recommends monitoring system behavior, securing administrative tools, and adopting advanced network event collection and visualization technologies to improve detection rates for fileless malware.

—Security solutions which do not rely solely on file system activity by also conducting behavior monitoring, memory scanning, and boot sector protection can help to protect networks from fileless attacks.

—Fileless attacks have used administrative tools already present in a victim network, including PowerShell, in various ways during cyber operations. Securing and monitoring the use of such tools could reduce cyber actors’ ability to exploit them in conjunction with fileless malware.

—Security Incident and Event Management (SIEM) technologies—which aggregate, store, visualize, and create automated reports and alerts based on customized queries— can help identify and craft signatures for malicious system behavior in lieu of a file signature to identify evolving adversary tactics, including fileless malware.

Read more at the National Capital Region Threat Intelligence Consortium

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply

Latest from Cybersecurity

SIGN UP NOW for FREE News & Analysis on topics of your choice across homeland security!

BEYOND POLITICS.  IT'S ABOUT THE MISSION. 

Go to Top
Malcare WordPress Security