Spy Vs. Spy

Ephemeral In-Memory Malware Common At High Value Targets

Computer security has always been a game of Spy vs. Spy, with the bad guys trying to stay one step ahead of the latest tactics and tools used to catch them. And that’s still true today, in an age of so-called “advanced persistent threats.” So what’s the next big thing in advanced malware? How about ghostly, ephemeral malware that never exists outside of memory and disappears whenever the infected system is rebooted?

Spy Vs. Spy
Triumfant says that in-memory “AVT” style attacks are the latest weapon in the battle between malware authors and security firms.


The security firm Triumfant issued a warning on Monday about what it calls “advanced volatile threats” or AVT. The malware is already a common component in attacks against high value targets, including government agencies and intelligence services John Prisco, Triumfant’s CEO and President told The Security Ledger.

The terminology here is a bit tricky – as Prisco admits. Technically, almost every online attack begins in memory, where attackers seek to overwrite the memory space used by a target system and trick it into executing their malicious instructions, rather than those required by a legitimate application. However, most malicious programs attempt to establish a permanent foothold on infected systems that will allow them to become “persistent” and continue working even after the infected system is restarted.

In contrast, Advanced Volatile Threats reside in a computer’s random access memory (RAM) or other volatile memory, but make no effort to become permanent on the system. The threats are wiped clear when the system is restarted -thus, they are not “persistent.” But, short of that, they can do much of what traditional malware is able to do, while staying below the radar of traditional anti malware programs.

Prisco said that his company has encountered more AVT-style malware in recent months, especially at “high value” customer sites. The company first blogged about the issue in March. The programs are often loaded by way of an exploit of a known or unknown (‘zero day’) vulnerability. They are used to steal data from the target organization, then secret it out to systems controlled by the attackers. Organizations have a difficult time investigating such losses because the malware disappears whenever the infected system is rebooted, leaving behind few traces.

The AVT malware that has been discovered doesn’t have a “name,” per se. And it doesn’t show the same kinds of familial resemblance as other kinds of malicious software. “They are all one-of-a-kind,” Prisco said. “These aren’t things we’ve ever seen before.”

An update to Triumfant's endpoint protection software can detect AVT-style infections, the company said on Tuesday
An update to Triumfant’s endpoint protection software can detect AVT-style infections, the company said on Tuesday


However, the AVT threats share features that suggest a common origin. Spotting the attacks is almost impossible with a single victim. Rather, AVTs require organizations to profile active processes that are running in memory in real-time across hundreds or thousands of endpoints. And that can be difficult without a solid baseline understanding of how each process operates under normal conditions, and what might be considered abnormal. Triumfant’s software now includes an AVT detection feature that can map activity such as what processes are running, what ports they use, which dynamic link libraries they load and the kinds of system calls they typically use. That way, abnormal activity can be spotted and used to issue an alert.

He said the in-memory attacks, though fleeting, can be just as damaging as malicious software that establishes a permanent foothold on network-attached systems. And , while AVT-style attacks are still the exception, rather than the rule, Prisco said they may be more common than is reported. “You see reports out there about attacks that weren’t discovered for over 200 days in an enterprise. But if the threat goes away every day and then comes back, you may never discover it,” he said.