Morphisec began investigations into a new type of threat that is sent through a Word document that is enabled with Macros. This new threat was attached to a phishing email sent out to various firms being targeted by the hackers. This type of hack has been related to many recent attacks on firms. Aspects of the C2 server revealed a lot of resemblance to the attack on the DNA PowerShell messenger. It appears that it is the same group doing both attacks. Reports from Talos, Kaspersky and FireEye point to a group that has been named FIN7 in the tech circles.
The attack begins by inserting the PowerShell agent into the computer then opening a backdoor for the attack to be held. The attack then progresses to add a piece of software that steals the passwords or carries out another attack. The attack can also control various aspects of the operating system including Cmd, Lazagne, Mimikatz and others.
Given the low-level detection model of this attack, there are various steps one can take for the best results;
- You first have to remove the PowerShell from your system by deleting the execution command of the VBS from the Run key in your HKCU registry. If, however, the file was executed with Admin privileges, you need to check the HKLM just to be sure that the file has been removed totally.
- If you check the list of the scheduled tasks and find a file named Updater, be sure to delete it as it should not exist on your computer.
- The attacker has a way of inserting persistency protocols such that even if they shut down their server, they will still have a backdoor to your system when they come back online.
- Also likely is the hiding of some files in public folders in your system. You can do so by searching for the Users/Public/Documents folder and finding the conf.vbs and the Updater.ps1 files. Find them and delete them from your computer. It is better to permanently delete them as they can be executed from any location.
- If you ever changed the security settings for your Office app, revert them back to the default settings for the best results. It will add a layer of security that the hack could have corrupted.
- One can also install Morphisec which helps prevent attacks based on the memory of the computer. It is a handy tool that will ensure maximum safety against the attacks.
The rise of the fileless attack has made it very difficult to curb attacks as they are virtually undetectable. They are stored in the memory of the computer and will take commands from the internet to carry out commands on the computer. The way the attack is executed once on the computer of the victim is also very discreet. When tested against most pieces of antivirus software, it was found out that the attack could not be detected which is a big issue.