14 DAY TRIAL // A new cyber-attack has been spotted to be launched by Angler exploit kit, a memory-residing malware that creates no file on the victim’s computer.
The threat is delivered via a drive-by download and the code is injected straight into the web browser process, leaving no trace of infection.
French malware researcher Kafeine discovered that the new malware was not picked up by his regular security solutions and evaded detection of a host-based intrusion prevention system (HIPS) he relied on.
When the victim lands on a compromised website, they are redirected to a malicious page that serves the exploit kit. The web browser is then scanned for outdated versions of software known to have vulnerabilities; this includes Adobe Reader, Flash Player and Java.
Angler exploit kit then exploits the security flaw and adds the malware in the memory of the system (RAM).
The next stage of the attack is to inject malicious code into the web browser, offering the possibility to steal sensitive information such as account credentials.
According to Kafeine, the malware is not placed on the hard disk, which denies persistence on the system. This means that a computer reboot eliminates the malware.
Although it’s so easy to be removed, the malicious file may not need to survive a restart to complete its task, as it can act as a one-time stealer to exfiltrate the information.
The attackers may also rely on this stealthy tool to collect intelligence about the victimized system (e.g. enumerate running processes) in preparation for a targeted attack with malware specially crafted to evade detection from available security products.
The researcher says that catching the malware is difficult, as it has to be pulled from the memory or from the recorded traffic and then be decoded.
This is not the first time memory malware has been discovered. The method has been previously used by attackers, but generally such threats are used as droppers for persistent malware.
In a recent case, it was discovered that a memory-residing malware dubbed Poweliks by researchers at G Data achieved persistence by creating an autostart entry in the registry, allowing it to be deployed when the OS started.
The entry contained two sets of code, one of them being a PowerShell script responsible for decoding and executing shellcode that injected a DLL in the memory.
The next step was to contact a remote command and control server for instructions, which could be to download a malicious file.