Borrows worm design to act as a Trojan 'pathfinder' Researchers have discovered an extremely rare and possibly unique form of “fileless” malware that executes entirely in memory without the need to save any files to the hard drive of a victim’s PC.The latest discovery was made by Kaspersky Lab, which received reports of a malware attack hitting a common Java vulnerability (CVE-2011-3544) on Russian websites, but without appearing to drop any files in order to instigate a conventional Trojan attack.In fact the attack turned out to run Javascript from an iFrame embedded on an infected website, injecting its encrypted .dll payload directly into the Javaw.exe process.The purpose of the unusual malware appears to be twofold; first to disable Windows User Account Control (UAC) and second to act as a ‘pathfinder’, setting up a bot to communicate with a command and control server from which it can receive instructions, including one to install the Lurk data-stealing Trojan on the infected PC. The disadvantage of this attack is that the user can clear it from memory by restarting the machine in which case a new infection would be required. In return for this inconvenience, it is extremely hard to detect. No files are written and at first at least no files are changed on the target PC. If the exploit being targeted is unpatched then security programs will not pick it up easily.The use of Java also makes it multi-platform, able to target PCs, Macs and Linux computers, although the Trojan that followed in the recorded attack was Windows-only. Kaspersky reminds us that the new malware is reminiscent of the infamous Code Red and Slammer worms of a decade ago, but both of these were built simply to spread as far and fast as possible; since both attacked specific Microsoft programs using buffer overflows no files were needed.The new attack is really more of an advance ‘stub’ that sets up an attack for a later point after exploiting its low profile to circumvent security systems. This counts as distinct and new.“Based on our analysis of the protocol used by Lurk to communicate to the command servers, we determined that over a period of several months, these servers processed requests from up to 300,000 infected machines,” said Kaspersky researcher, Sergey Golovanov. Related content news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability brandpost The advantages and risks of large language models in the cloud Understanding the pros and cons of LLMs in the cloud is a step closer to optimized efficiency—but be mindful of security concerns along the way. By Daniel Prizmant, Senior Principal Researcher at Palo Alto Networks Oct 03, 2023 5 mins Cloud Security news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Vulnerabilities news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe