A recent study that dealt with the trends within the threat landscape revealed that fileless threats are the most common critical-severity cybersecurity threat to endpoints in the threat category list.
The research report further reveals that endpoint security threats can be divided into three main categories based on critical-severity Indicators-of-Compromise (IOCs):
Fileless malware qualifies to be the first segment. This segment includes malware, such as Kovter, Poweliks, Divergent, and LemonDuck, which comprises 30% of critical-severity threats. These threats require immediate attention as they are considered to be the most destructive amongst the rest.
The second segment consists of dual tools that are used for both exploitation and post-exploitation tasks, which makes up for 24% of the critical threats. Dual tools such as PowerShell Empire, CobaltStrike, Powersploit, and Metasploit, etc. qualify to be in this segment.
The third and final segment has credential dumping tools in it, comprising 21% of critical threats. Most commonly it includes the Mimikatz tool to scrape login credentials from a compromised computer.
A mix of other threats like ransomware (Maze, Ryuk, and BitPaymer); worms (Qakbot and Ramnit); RATs (Corebot and Glupteba); banking Trojans (Dridex, Dyre, Astaroth, and Azorult); and other downloaders, wipers, and rootkits, constitute to be the other 25%
Recent Fileware Attacks –
Attackers can maintain persistence and evade detection by abusing tools that are already in the system to initiate attacks by the use of the fileless threat method.
- Last month, the FritzFrog P2P botnet was deployed by the attackers by a fileless method, on the servers of at least 500 enterprises and government facilities in an effort to avoid detection and leave little trace of its presence.
- In May, the DLL injection method was used by the Netwalker ransomware to avoid traces while deploying fileless malware.
To defend against fileless malware, our security experts suggest users to protect their endpoints by allowing limited execution of unknown files monitoring processes for unusual changes, and the registry for strange process injection attempts, and by keeping an eye on connections between endpoints.
To read more, please check eScan Blog
