Written by Shaun Waterman

Weeks before the WannaCry ransomware spread like wildfire through unpatched Windows systems, a more sophisticated, stealthier attacker used the same NSA-engineered cyberweapon to infiltrate the IT networks of companies across the world, including at least one publicly traded in the U.S., according to new research.

So stealthy was the fileless, in-memory attack, which hides itself inside the activity of a legitimate application, that it evaded five different security products running on the infected system, Gil Barak, CTO of Israeli cybersecurity firm Secdo told CyberScoop. Those products included so-called “next generation” filters that don’t rely on known signatures, he said.

“Not only did they not stop the attack, they couldn’t even see it,” he said. Attackers using the technique “can pretty much do what they want, unnoticed — and then vanish.”

Barak wrote a blog post on the attack and appeared with noted security researcher Jake Williams on a webcast this week where the two discussed the technique, which is not completely novel but has been previously deployed only by attackers with a nation-state level of sophistication. Researchers saw WannaCry, by comparison, as amateurish.

“These were sophisticated attackers,” Barak told CyberScoop, “much more sophisticated than [those that wrote WannaCry] but not necessarily at a nation-state level.”

He said the attacks had begun in April, shortly after the anonymous group the Shadow Brokers dumped the exploit toolset online, complete with source code which can be cut-and-pasted to make your own cyberweapon.

Barak wouldn’t comment on the victim enterprises other than saying one was a publicly traded U.S. company. Williams told CyberScoop that because the attack was “really, really stealthy … No one is catching them … [and] the sample size of demonstrable attacks is very small.”

Williams’ company, Rendition Infosec, has a honeypot on the internet looking for large-scale or automated attacks using the NSA-built DoublePulsar and EternalBlue exploits.

“We haven’t seen the attacks that Secdo [customers] are seeing [in our honeypot], but to be honest, we weren’t instrumented for it. No one is. Unless you have their tool or the [indicators of compromise they are now providing] you are not going to catch it,” Williams said, adding that his honeypot was also “not very convincing. … Any attacker who looks at it for more than a minute or two is going to realize it’s not real.”

More than fileless

Conventional malware is loaded onto an infected computer in the same way any other software application is — a Windows program called an executable, with a .exe file extension, is downloaded over the internet and installed on the hard drive. By contrast, fileless or in-memory attacks inject their malicious code directly into the computer’s working memory. But even that leaves traces at the process level which can be discovered using conventional forensic tools, Barak said.

“This is different [from previously observed fileless or in-memory attacks], They’re not using scripts or applications, the thread [doing the hackers’ work] is hidden inside a legitimate process … run by a regular application.” A thread is the smallest and simplest sequence of programming commands managed by the computer’s microprocessor.

After compromising a system using the NSA tools, the attackers disguise their activity as a thread in lsass.exe, the Local Security Authority Subsystem Service — a process that enforces Windows security policy.

Then they start stealing credentials — usernames, passwords and encryption keys. The stolen data is exfiltrated using the Tor network, said Barak, which encrypts all its traffic and then bounces it around at random among hundreds of volunteer-maintained nodes — making it impossible to track.

“We don’t know where they took the data,” he said, but added, “The attack originated from a Russian IP address,” meaning someone accessing the internet via a device located in Russia.

The credential theft “is the really dangerous part” of the attack, said Williams. “DoublePulsar can’t survive a reboot,” and most enterprises will soon patch the vulnerability that DoublePulsar and EternalBlue exploit if they haven’t already, “but with those credentials, you can come back anytime [masquerading] as a legitimate user.”

Because the attack leaves no traces that can be detected by conventional security programs, Williams adds, compromised companies won’t even realize they’ve been compromised — and won’t force employees to change their passwords or get new encryption keys.

Financially motivated?

In at least one case, after exfiltrating the credentials, the attackers then used a fileless version of a ransomware program called Cry128 to encrypt files on the compromised machine.

That seems to be evidence that the attackers were financially motivated, but with so few samples, it’s hard to tell. “Obviously, ransomware is asking for money,” said Barak, “But it’s hard to tell this early. Was it a targeted attack or opportunistic… We don’t know at this stage.”

“My gut says it’s nation-state,” said Williams, “most criminals don’t need to operate so stealthily,” but he acknowledged that there was very little data to go on so far.

As researchers get more data, they will know more about the attackers, he said.

Also unknown: How widespread the attacks were and whether they’re still ongoing.

Williams’ internet scanning found a number of machines compromised with DoublePulsar that varied from 25,000 some days to as many as 150,000 at other times. “What we don’t know is how many of those machines [having been compromised] were then attacked” in this way. “We don’t know what the attackers did after they compromised the machines,” because that’s not possible to discern from a simple internet scan, Williams said.

He added that even the in-memory thread-emulation attacks detected by Secdo left some indicators behind and that the scale of the attack would soon become clearer. “As time goes by and when we get access to a system that was infected, we’ll be able to tell more,” he said.