Detecting fileless malware

Attackers are determined to use increasingly sophisticated methods to bypass protective equipment. The use of fileless malware increases the visibility and effectiveness of the attack. Last year, fileless methods were used in two large-scale ransomware campaigns.

Fileless attacks are based on a simple idea: if the device already has the means to perform an intruder’s tasks (e.g., PowerShell.exe or wmic.exe), why place special programs on it that can be recognized as malicious?

If an intruder can intercept the process control, run his code in the memory space of such a process and use it to call the means already available on the device, it will be harder to detect the attack.

Successfully implementing this approach using local resources is a complex task. Among other things, cybercriminals need to solve the problem of persistence.

When the power is turned off, the information is not stored in memory, and if the files are not written to the disk, the attackers face the question: how to ensure that their code is autoruned and that they retain control over the compromised system after rebooting?

Misfox: Fileless threat to networks

In April 2016, a client contacted the Microsoft Incident Response Team about cyber ransom. The attackers demanded a significant amount of money from the client for not publishing confidential corporate information stolen from compromised client computers. In doing so, they threatened to “crush” their network if the client contacted law enforcement. The situation was complex.

The Microsoft Incident Response Team examined computers on the network, identified targeted implants and analyzed the degree of compromise. The client used a well-known third-party antivirus product that was installed on most computers. Despite the update with the latest versions of signatures, the antivirus did not detect any of the target implants.

Microsoft researchers also found out that the attackers tried to encrypt the files twice using a ransomware. Fortunately, these attempts failed. As it turned out, the threat to destroy the network was a “plan B” to make a profit from the attack in case “plan A” failed.

Moreover, the researchers also discovered that the attackers had been surreptititiously present on the network for at least seven months, using two different channels.

  • The first of these channels included a backdoor called Swrort.A, which was deployed on several computers. This backdoor was easily detected by the antivirus.
  • The second channel was much more sophisticated and interesting:
  • It did not infect the files on the device.
  • It did not leave any artifacts on the disk.
  • It couldn’t be detected using the usual methods of checking files.

The second tool was a fileless malware called Misfox. When running in memory, Misfox did the following:

  • Created a registry section that ran a single-line PowerShell command.
  • Running a disguised PowerShell script saved in the BLOB Object Registry. This disguised PowerShell script contained a portable executable file (PE) loader that downloaded a PE file from the registry encoded using the Base64 algorithm.

Misfox did not place executable files on the computer, but the script recorded in the registry ensured that the malware was safe.

Fileless methods

Misfox is an example of how fileless components can be built into a sequence of cyberattack steps. Attackers use a variety of fileless methods that make it difficult to detect malicious implants. Among them:

Reflexive implementation of DLLs

Reflexive implementation of DLLs allows DLLs to be loaded into the process memory without saving them on the local disk. A malicious DLL can be located on a remote computer controlled by an intruder and delivered via a compromised network channel (e.g. TLS).

It can also be implemented in a disguised form, for example through macros and scripts. As a result, attackers manage to bypass the means of monitoring and tracking the load of executable modules in the operating system.

Exploits in memory

Attackers use fileless exploits in memory to remotely run random code on infected computers. For example, the UIWIX threat uses the EternalBlue exploit, which has been used in Petya and WannaCry.

It has been observed to install the DoublePulsar backdoor, which fits completely into the kernel memory (SMB sending table). Unlike Petya and Wannacry, UIWIX does not place files on disk.

Scenario-based methods

Scripting languages offer effective means of delivering the payload that is fully executed in memory. Script files can embed encrypted shellcodes or binary objects that can be decrypted without writing to disk during execution through the objects.

NET or directly via API. The scripts themselves can be hidden in the registry (as in the case of Misfox). They can be read from network threads or launched manually by an attacker from the command line without accessing the disk.

Saving in WMI

In a number of observed cases, attackers used the Windows Management Tools (WMI) repository to save malicious scripts, which were then periodically called via WMI bindings. Detailed examples of the use of such techniques are given in this article [PDF].