By Charles Parker, II; Information Security Architect
Malware is being coded and released into the wild at an alarming rate. People from across the globe are coding this for personal profit, as a contract, or to prove a point (e.g. hacktivism). Usually, these have been noted to operate in a narrow way.
The traffic to the target is through the email. The user reads the email with an attachment, opens this, and the malware is saved to the hardware. This mode has been repeated across the globe.
Recently there has been a new variant on an older method. This new variant saves the malware into the memory (RAM). This is distant from other currents but has recycled an older method. A prior example of this attack was Ursnif malware.
As noted generally the malware is saved to the hard drive. With this in effect, the malware is long-lasting in that when the computer is shut down, the malware is still present when the system is turned on.
With this new variant, the malware resides in the RAM. This is not stored on the hard drive of the targeted, infected system. This had been experienced more with drive-by malware attacks. While this is unique, it has proven itself to be effective.
Historically, the attackers have not used this in a preponderance of the time. This was a less attractive option as the attack would fail as the user reboots their system, clearing out the RAM, and effectively removing the malware.
This does have a benefit in that AV is generally engineered to scan the hard drives and not the RAM.
On a basic level, this is structured as a social engineering attack. This was not part of a spam campaign. Structurally, the person receives an email. This is personalized with the person’s name, address, and other select information.
The body of the email indicates there is a pertinent rationale for opening the attachment presently (e.g. the user has to open the attachment urgently!). The email has in the body an attachment of a Word document. Since this is not a .exe file, the person may have a better sense of security and the person believes this is fine.
The user then opens the word document. Unbeknownst to the user, this allows the macro in the Word document to execute. The malware is placed in the memory of the system.
This was also coded to check if the malware had been placed in a sandbox or virtual environment.
The Palo Alto Networks noted an estimated 1,500 emails were sent with this campaign. As further evidence, the email was specialized for each person.
The targets have been in the US and Europe, with a smaller portion of the emails being sent to Canada. This has focussed on the hospitals, manufacturing, energy, and tech industries.
Malware has tended to be used repeatedly and re-surface when users and Admins have forgotten about it. This is a sample of malware that needs to be wary of and place defenses in place and not remove them for convenience.
There are a number of defenses for this. These are familiar and have been seen many times before with other instances. These common-sense approaches still work well when implemented.
The user should not enable macros in the Word documents. If the user is not certain of the sender’s identity or is not expecting an attachment, the attachment should not be opened.
About The Author
Charles Parker, II began coding in the 1980s. Presently CP is an Information Security Architect at a Tier One supplier to the automobile industry. CP is presently completing the Ph.D. (Information Assurance and Security) with completing the dissertation. CP’s interests include cryptography, SCADA, and securing
Charles Parker, II can be reached online at firstname.lastname@example.org and InfoSecPirate (Twitter).