The Federal Bureau of Investigation (FBI) has released information to help federal, state, local, and private sector organizations protect themselves against the Osiris Banking Trojan and fileless malware attacks. Fileless malware is a growing threat to the banking industry requiring sophisticated techniques to protect systems against cyber-criminal activity. The Osiris Banking Trojan, which is an upgraded version of the Kronos Banking Trojan, uses two fileless techniques, making it more difficult to detect using standard antivirus software. Its added features and enhanced functionality allow cyber criminals to gain remote access to financial customer profiles and cause the malware to be more effective in stealing funds.
Fileless Malware Attacks on the Rise
Based on reporting from a private security firm, between January and June 2018, fileless malware intrusion detections have increased 94 percent. Fileless malware operates partly or entirely from the computer’s memory without placing malicious executables on the underlying file system. Using phishing and spearphishing as an initial vector, it can bypass the file system by loading and executing malicious code directly in memory, storing malicious scripts in the registry, or using legitimate system administration tools such as PowerShell.
Standard antivirus software detects malware by scanning the file system for files sharing characteristics with known malware, files which are variants of known malware “families” or are related to known malware by a common code base, and suspicious system behavior or file structures. Given the characteristics of fileless malware, most antivirus programs are unable to detect it on victim machines.
The Osiris malware, sold as a Malware-as-a-service worldwide, combines two fileless techniques, Process Hollowing and Process Doppelgänging, which enable the malware to compromise legitimate software as it infects a targeted system. One of the techniques, Process Doppelgänging, which became public in December 2017, affects all versions of Microsoft Windows and bypasses most antivirus software. Process Hollowing occurs when a process is created in a suspended state, after which its memory is unmapped and replaced with malicious code. The execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis.
Technical Details of the Osiris Banking Trojan
Technical analysis on Osiris code shows the following: (Directory comparison between Osiris and Kronos)
Number of subdirectories: 87
Number of equal files: 309
Number of different files: 883
Osiris contains a new table called `cclogs`, `browser_passwd`, `cc_data`, `running_jobs`; Once a victim’s machine is infected, Osiris runs a SOCKS/proxy server on the machine. Those credentials are reported back to the Osiris C&C to store that information. Osiris has the following features activated or deactivated;
define(“RVNC_ENABLED”, FALSE); //Reverse VNC
define(“SOCKS_ENABLED”, FALSE); //Socks
define(“KLOG_ENABLED”, TRUE); //Key Logger
define(“EMAIL_SPREAD_ENABLED”, FALSE); //Email Spread
define(“RHVNC_ENABLED”, FALSE); //Reverse Hidden VNC
define(“TV_ENABLED”, FALSE); //TeamViewer
define(“HVNC2_ENABLED”, FALSE); //HVNC2
The FBI recommends monitoring system behavior, securing administrative tools, and adopting advanced network event collection and visualization technologies to improve detection rates for fileless malware.
—Security solutions which do not rely solely on file system activity by also conducting behavior monitoring, memory scanning, and boot sector protection can help to protect networks from fileless attacks.
—Fileless attacks have used administrative tools already present in a victim network, including PowerShell, in various ways during cyber operations. Securing and monitoring the use of such tools could reduce cyber actors’ ability to exploit them in conjunction with fileless malware.
—Security Incident and Event Management (SIEM) technologies—which aggregate, store, visualize, and create automated reports and alerts based on customized queries— can help identify and craft signatures for malicious system behavior in lieu of a file signature to identify evolving adversary tactics, including fileless malware.