Fileless Ransomware with Code Injection Ability Detected

It is no secret that hackers and cybercriminals are becoming dramatically more adept, innovative, and stealthy with each passing day.While new forms of cybercrime are on the rise, traditional activities seem to be shifting towards more clandestine techniques that come with limitless attack vectors with low detection rates.Security researchers have recently discovered a new fileless ransomware, dubbed “Sorebrect,” which injects malicious code into a legitimate system process (svchost.exe) on a targeted system and then self-destruct itself in order to evade detection.Unlike traditional ransomware, Sorebrect has been designed to target enterprise’s servers and endpoint. The injected code then initiates the file encryption process on the local machine and connected network shares.

This fileless ransomware first compromises administrator credentials by brute forcing or some other means and then uses Microsoft’s Sysinternals PsExec command-line utility to encrypt files.

The nasty ransomware then deletes all event logs (using wevtutil.exe) and shadow copies (using vssadmin) on the infected machine that could provide forensic evidence such as files executed on the system and their timestamps, which makes this threat hard-to-detect.In addition, Sorebrect uses the Tor network protocol in an attempt to anonymize its communication with its command-and-control (C&C) server, just like almost every other malware.The Sorebrect fileless ransomware has been designed to target systems from various industries including manufacturing, technology, and telecommunications.

This is not the first time when researchers have come across Fileless malware. Two months ago, Talos researchers discovered a DNS Messenger Attack that was completely Fileless and used DNS TXT messaging capabilities to compromise systems.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s