Researchers have detected a brazen attack on restaurants across the United States that uses a relatively new technique to keep its malware undetected by virtually all antivirus products on the market.
Malicious code used in so-called fileless attacks resides almost entirely in computer memory, a feat that prevents it from leaving the kinds of traces that are spotted by traditional antivirus scanners. Once the sole province of state-sponsored spies casing the highest value targets, the in-memory techniques are becoming increasingly common in financially motivated hack attacks. They typically make use of commonly used administrative and security-testing tools such as PowerShell, Metasploit, and Mimikatz, which attackers use to feed malicious commands to targeted computers.
FIN7, an established hacking group with ties to the Carbanak Gang, is among the converts to this new technique, researchers from security firm Morphisec reported in a recently published blog post. The dynamic link library file it’s using to infect Windows computers in an ongoing attack on US restaurants would normally be detected by just about any AV program if the file was written to a hard drive. But because the file contents are piped into computer memory using PowerShell, the file wasn’t visible to any of the 56 most widely used AV programs, according to a Virus Total query conducted earlier this month.
“FIN7 constantly upgrades their attacks and evasion techniques, thus becoming even more dangerous and unpredictable,” Morphisec Vice President of Research and Development Michael Gorelik wrote. “The analysis of this attack shows, how easy it is for them to bypass static, dynamic and behavior based solutions. These attacks pose a severe risk to enterprises.”
Anatomy of an infection
To be sure, the attack isn’t entirely fileless, since it arrives in a booby-trapped Word document attached to a phishing e-mail. The e-mails are tailored to the person receiving them and contain attachments with names including menu.rtf, Olive Garden.rtf and Chick Fil A Order.rtf. Unlike most other Word-based attacks, however, once the document triggers an infection, the final payload resides only in memory.
“This shellcode iterates over process environment block and looks immediately for dnsapi.dll name (xor 13) and its DnsQueryA function,” Gorelik explained. “Basically, FIN7 implemented a shellcode that gets the next stage shellcode using the DNS messaging technique directly from memory. This way they can successfully evade many of the behavior based solutions.”
The attack isn’t the first to generate PowerShell scripts based on DNS requests. Cisco Systems’ Talos Threat Research Group saw something similar in March. FIN7’s ongoing campaign against restaurants suggests the technique won’t be going away anytime soon.