Ephemeral, In-Memory Attack Used With New IE 0Day

It was just last week that we wrote about research from the security firm Triumfant that found evidence for the growing use of ephemeral “diskless” malware. That point was driven home over the weekend, with a report from the firm Fireeye that found a new Internet Explorer zero day vulnerability was being used in conjunction with a disk-less variant of the Hydraq (aka “McRAT”) Trojan horse program.

The firm Fireeye said attacks discovered on a web site exploit a newly discovered Internet Explorer vulnerability to install ephemeral, in-memory only malware.
The firm Fireeye said attacks discovered on a web site exploit a newly discovered Internet Explorer vulnerability to install ephemeral, in-memory only malware.


Fireeye first called attention to the existence of attacks exploiting new, “zero day” (or previously unknown) vulnerabilities in the Internet Explorer web browser on Friday. The company discovered the malicious activity on the web site of a “strategically important website” that was being used as a “watering hole” to attack visitors who were “interested in national and international security policy.”

The company described two IE vulnerabilities: an information leakage hole and an IE out-of-bounds memory access vulnerability. The information leak affects Windows XP with IE 8 and Windows 7 with IE 9. The memory access vulnerability was found on Windows XP systems using IE 7 and 8, and on Windows 7. The attacks follow patches for two Internet Explorer security holes in the company’s October patch release.

In a follow-up post on Sunday, however, the company added some more information about the watering hole attacks it had observed. Specifically: Fireeye described the malware as a disk-less variety that “does not write itself to disk, leaving little to no artifacts that can be used to identify infected endpoints.”

In memory attacks are very difficult to detect, because the malware does not attempt to write itself to the disk of the infected system – an action that many security products are trained to look for as a possible indicator of compromise. Instead, the malware runs in memory only. The disadvantage, from the attacker’s standpoint, is that such infections only last as long as the infected system is running. Once it reboots, the memory is flushed and the malicious code with it.

Ephemeral, diskless malware requires attackers to act quickly, before their target is shut down or restarted. Its use in the attacks described by Fireye suggests that those behind the attack were “confident in both their resources and skills,” according to Fireeye.  “As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organizations,” Fireeye noted. 

FireEye’s analysis shows how the malicious payload is injected into memory.

Researchers at the firm Triumfant (a Fireeye competitor) said last week that they were seeing more evidence that attackers were shifting to use diskless malware, which they term ‘Advanced Volatile Threats.’ That’s especially true in attacks on high-value targets. In an interview with The Security Ledger, Triumfant CEO John Prisco said that in-memory attacks can be just as damaging as more traditional infections, and that the use of non-persistent malware may be far more common than has been reported.

Spread the word!