Netwire phishing campaign uses process hollowing to carry out code injection

News by Rene Millman

Phishing campaign attacker targets multiple customers and successfully executes payload without having to write the executable dropper or the payload to the disk by using process hollowing.

Security researchers have discovered a recent phishing campaign where an attacker targeted multiple customers and successfully executed their payload without having to write the executable dropper or the payload to the disk.

According to blog post by researchers at Fireeye, the campaign kicked off in February this year and involved the use of VBScript, PowerShell and the .NET framework to perform a code injection attack using a process hollowing technique.

"The attacker abused the functionality of loading .NET assembly directly into memory of PowerShell to execute malicious code without creating any PE files on the disk," said researchers.

According to researchers the malware prompts the victim to open a document stored on Google Drive. It is thought that the hackers are targeting members of the airline industry that use a particular aircraft model. They added that there has been an increasing number of attackers relying on cloud-based file storage services that bypass firewall restrictions to host their payload.

Researchers said that when executed, after multiple levels of obfuscation, a PowerShell script is executed that loads a .NET assembly from a remote URL, functions of which are then used to inject the final payload (NETWIRE Trojan) into a benign Microsoft executable using process hollowing.

"This can potentially bypass application whitelisting since all processes spawned during the attack are legitimate Microsoft executables," said researchers.

The final payload in the attack was identified as a Netwire backdoor. Its capabilities include key logging, reverse shell, and password theft. The backdoor uses a custom encryption algorithm to encrypt data and then writes it to a file created in the ./LOGS directory. The malware also contains a custom obfuscation algorithm to hide registry keys, APIs, DLL names, and other strings from static analysis.

"Malware authors continue to use different "fileless" process execution techniques to reduce the number of indicators on an endpoint. The lack of visibility into .NET process execution combined with the flexibility of PowerShell makes this technique all the more effective," said researchers.

Pascal Geenens, security evangelist at Radware, told SC Media UK that in this particular case training employees and awareness campaigns should have prevented the download and execution of the VBS script.

"The warning message about a program that could not be verified and that is about to execute should not be ignored, employees that are trained and are aware of the risks can at least ask their security dept for help or have them look into the email and link to ensure it is benign," he said.

"It should be caught in-flight, meaning at the gateway level. Most of the internet web traffic is encrypted, a security blessing, but at the same time attackers exploit that feature against us. By encrypting payloads malicious agents know very well that most gateways will not be able to look into the contents and provide deep inspection to detect malicious payloads."

Dr Simon Wiseman, CTO of Deep Secure, told SC Media UK that the allure of Fileless Malware is that it can launch without being stored on disk, and malware detection techniques – whether looking at data or behaviour – can’t cope with it.

"It "lives off the land", concealed in data in documents and images, exploiting applications on the victim’s machine. As a result, anti-virus software never detects it, even if the malware’s signatures are known – essentially making it impossible to find," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event