Recently fileless malware is being discovered in computers across the world. What makes this so hard to detect is that it does not have a file or "artifact" on the computer to be found by antivirus software. Because it does not have to write anything to a computer, it can also run on any operating system, including unix.
So what are these programs mostly doing? they are executing scripts that encrypt their traffic, and farming clicks.
They are not keylogging, they are not configuring ports, they are farming clicks.
This raises tons of questions: Is it more profitable for a cybercriminal to farm clicks than do industrial espionage? Are the companies deliberately putting this on their computers, pretending to be hacked, then making extra cash on the side to change the narrative?
We left reddit because of the vote manipulation. We see all the bot twitter posts, but we never asked where they came from. We assumed it was from china, but if a shareholder where to sue twitter or reddit over paid vote manipulation, then the click farms in china would easily be discovered.
With the discovery of the file less malware thanks to the leaked NSA tools, we now have a more disturbing picture: Many computers are compromised, and are running hard to find botnets that solely generate site traffic and manipulate online marketing.
view the rest of the comments →
Tancred ago
Easily discovered by monitoring traffic. Run Wireshark.
senpaithatignoresyou ago
NOPE.
Wire shark did not find it, nor did it show up in the splunk logs, and symantic did not find it, nor did the god damn Indians or the SOC that they paid good money for.
It got found when we had two vendors put their endpoint protections up. One vendor found it(the most expensive one), the other did not.
They rolled out that end point protection on a few thousand more machines, and now it found several more instances.
Tancred ago
How does it get by wire shark?
senpaithatignoresyou ago
I do not know.
I am hoping that it is just corporate IT being inept or under budget and staffed, and not something really nasty.
The problem is that it is not just the company i am at, but other people in other companies finding this. From what i understand there was an improvement in end point protection over the last few months to look for stuff like this, and now they are finding it.