Fileless Malware Turns Built-in Windows Applications Against You
Adversaries are highly aware of new defensive methods organizations have established. They are constantly developing new techniques and are performing sophisticated attacks by evading this security. Innovative approaches adopted by attackers have more potential impact than traditional malware attacks. Fileless malware carries out malicious activities without the need to download and install files onto hard drives and is instead memory-based. It makes use of built-in Microsoft tools and applications to launch an attack. Such cyberattacks have become a revenue-building model. These attacks cause an abundance of damage to organizations regardless of their size.
The undetectable nature of fileless malware
The challenging fact about this malware is that it doesn’t leave behind any trace, making it undetectable. It operates by residing and executing inside a computer’s primary memory (RAM) and can turn several components of Windows applications against its host. Threat actors prefer using it to gain administrative access to systems, allowing them to leverage pre-existing utilities like Windows Management Instrumentation (WMI) such as in the Shade Exploit Kit attacks, or Windows PowerShell such as Cobalt Kitty, TrickBot and Ryuk attacks. Malware detection software fails to detect fileless malware as they cannot find any file associated with it. It doesn’t need to download and/or install onto your system or make any changes in your registry.
Other experts sum up the difference between Malware-free and File-less attacks nicely saying “Malware-free and fileless attacks are two different concepts I would be hesitant to conflate,” they explain. “Malware-free implies the absence of any sort of malicious code, whereas fileless attacks do employ malicious code, but do so only in computer memory never writing itself as a file to the local hard drive.”
The newest filesless malware: PRIVATELOG
Researchers have recently found a new malware named PRIVATELOG and its installer named STASHLOG residing in on a system’s memory. It has an unusual and stealthy approach to deceive threat detection tools. This fileless attack technique doesn’t write directly on the disc but uses storage containers in Windows like the Windows registry. These storage containers can be obtained using different Windows APIs. This method makes it easy for the attacker but is a real pain for the defender to analyze as the containers use undocumented structures. Attackers generally prefer to store the fileless malware in Windows Registry, Common Information Model (CIM) repository, and Windows Management Instrumentation (WMI).
PRIVATELOG and STASHLOG use log containers called Common Log File System (CLFS) to store the second stage payloads in the Windows Registry transaction files. CLFS is a logging framework that renders applications with application programming interface (API) capabilities. This file format is rarely used and is least documented, and therefore no tools are available to parse the CLFS log files. Attackers consider this an opportunity to conveniently stash their data as log records because they are accessible through API. It is similar to the malware that relies on the Windows Registry or the NTFS Attributes to hide their data. Furthermore, it also provides the attackers with places to save and recover the binary data with the Windows API.
PRIVATELOG and STASHLOG utilize obfuscated strings like the other malware, but their technique is highly uncommon, which depends on XOR’ing every byte using hard-coded byte inline without loops. Every string is successfully encrypted with a novel stream.
Categorizing fileless malware
The attackers use an abundance of fileless malware, but we can categorize them in the following way to understand in a better way:
- Injecting Memory Code – The fileless malware utilizes the system’s primary memory and affects the critical processes running on the Windows OS. Duqu worm is a memory resident malware that allows the attackers to install a backdoor. Its advanced versions can also provide lateral movement and data exfiltration.
- Registry Manipulation – This malware targets the system registry with the help of malicious files and links by altering and executing codes in the registry. Traditionally, the windows systems were affected through droppers that downloaded malicious files that would remain active and detectable in the victim machine. The fileless malware uses similar droppers, but instead of downloading malicious files, it writes a code in the registry. Poweliks is the oldest variant of such attacks that modifies registry keys.
- Script-based Infection – They are challenging to detect and are semi-fileless. The hacker uses his credentials to make modifications and constantly evolves them. The SamSam ransomware is one such fileless malware. The ransomware attackers are cleverly using fileless techniques to install the malicious code in documents using native scripting languages like macros or any other malicious code straight into memory with the help of an exploit.
The Threat is Real
Security Reports reveal that fileless attacks have become so frequent since 2019 that they had increased by 888% in 2020. The attackers are succeeding at these attacks by evading traditional endpoint detection methods implemented by clients without luring victims into doing anything other than clicking malicious links or visiting genuine websites that are compromised. Threat actors have averted detection by using malicious toolkits like Cobalt Strike and PowerSploit to inject malware codes into the running processes, which keeps it operational even if the original script gets exposed and eliminated.
Systems affected by this malware can generally be rebooted to clear the RAM and registry, but it’s also not practical to repeatedly reboot every system in an enterprise just to ensure that one system on the network isn’t affected by fileless malware. As the fileless attacks exploit genuine scripting languages like PowerShell, they go undetected by highly used signature-based methods, whitelisting, and sandboxing. Sometimes even specific machine learning methods fail to identify or analyze these fileless malwares. Detecting fileless malware involves using a holistic approach. Organizations can prevent fileless malware by rigorously monitoring the network trends and keeping an eye on applications likely to get infected. Although difficult, collecting logs from all resources on an enterprise, parsing those logs, and looking for recent abnormal changes to a systems registry might help.
The threat of fileless malware attacks is real and should be taken seriously. Organizations should frequently do patching to mitigate possible unknown vulnerabilities and manage phishing risks by installing cutting-edge technologies, educating the employee, and systematically monitoring systems for malicious activity. CISOs and network defenders could consider that even if a bad actor gets their file-less malware onto a system, they must establish a communication path between them and victim. Technology exists (learn about Shield) that can monitor every real-time connection and path and determine its risk factor.
Dave Gast (CEH/SEC+/ITIL 4/PMP) is an INTRUSION Sr. Threat Researcher & Info/Cyber Security Subject Matter Expert with a 26 year active duty military career and 10 year government contracting consulting role including extensive cyber intelligence and threat analysis.
Ready to get protected?
INTRUSION Shield is affordable for every business, large or small. We price per seat, per month – with no annual contract and no hardware to buy.