Kinaro's blog of things

Fileless malware

July 10, 2019

Computer RAM

Fileless malware is not entirely new, but there has been a resurgence, with more advanced techniques. Some examples of fileless malware:

Traditional malware often relies on having files written to disk in order to run and carry out all sorts of shady activities on a target computer. With fileless malware, everything resides in the RAM and nothing is ever written to disk. It only runs for as long as the computer is powered on. Fileless malware is crafted using Powershell or JavaScript. It leverages trusted operating system tools such as Windows Management Instrumentation and PowerShell to perform malicious activities. Due to the use of built in tools, signatures fail as they are of trusted system software.

With this technique, a malicious actor can perform their operations for a long time undetected. The Ocean Lotus Group was able to carry out Operation Cobalt Kitty for up to a year undetected by abusing system tools. Another notable example is Astaroth, a fileless trojan that has been using an Avast! AV process to run the malicious code without necessarily performing any DLL hijacking.

System tools are not the only options. In 2017, the DNSMessenger malware used DNS requests to deliver malware using TXT records. TXT records allow a DNS server to attach arbitrary text to a host or other name. The commands were then executed using PowerShell. Bypassing the PowerShell execution policy is a trivial affair, even for a script kiddie. This enables an attacker to download payloads and either execute them or inject malicious code into legitimate processes.

Conventional antivirus tools use combinations of the following methods to detect malware:

  • Signature detection
  • Heuristics
  • Behavioral analysis
  • Sandbox analysis

With the absence of a saved file, conventional antivirus tools fail because all the above methods are based on one form of comparison or the other. The malware can perform a wide variety of tasks on a system:

  • Logging keystrokes
  • Stealing user credentials
  • Taking screenshots
  • Privilege escalation
  • Lateral traversal in a network.

Mitigating Fileless attacks

  • Educating staff - This is probably the best point to start, as fileless malware relies on social engineering or exploiting system vulnerabilities.
  • Monitoring network traffic - Network traffic originating from unknown or untrusted domains can be an indicator of compromise.

Felix Kinaro

Github TwitterContact