Home » Articles » Fileless Malware – Rising Trend in Malware Industry
Click Here To Hide Tor

Fileless Malware – Rising Trend in Malware Industry

Fileless malware is becoming more popular in blackhat activities. What was first seen in some sophisticated targeted attacks is now becoming a standard partially due to the Vault 7 leak that revealed CIA’s modus operandi.

There seems to be confusion about the definition of fileless malware so news sites will often say malware is fileless while it’s definitely not fileless. Typically, they are talking about core backdoor sitting on compromised machine which downloads encrypted payload while in memory.

In this article we will look at truly fileless malware that requires no files to survive a reboot. The sample I chose was first analyzed by TrendMicro. The team behind the campaign has put a lot of effort in order to stay under the anti-virus and analyst’s radar.

Method of compromising is unknown because the malware erases all system logs. I suspect that it used some remote code execution vulnerability to create following registry key:

This is ALL that malware (remote administrator tool) needs to persist on compromised computer. This registry key will download and execute JavaScript program dubbed JS_POWMET.

Regsvr32 is Windows command-line utility for registering and unregistering (/u) DLLs

/s = silent option for regsvr32

/n = tells regsvr32 not to use DllRegisterServer

/u = unregister server/object

/i = used for passing an optional parameter (ie. URL) to DLLinstall

scrobj.dll = Microsoft’s Script Component Runtime (this resides on every Windows system)

On startup, scrobj.dll fetches malicious JavaScript from found on the URL and executes it without saving it to the filesystem. What a useful Windows built-in functionality! Some examples of XML files that can be used like this can be found on following github.

Anyway, this JavaScript code downloads and executes PowerShell script dubbed PS_INJECT which in turn downloads another file from “hxxps://bogerando[.]ru/favicon” which is actually encoded and encrypted DLL dubbed BKDR_ANDROM. Note that this DLL is downloaded to a buffer in memory and it never touches the disk. Following image shows how BKDR_ANDROM is decoded and decrypted in PS_INJECT. After that, PS_INJECT starts executing decrypted instructions in its own process, effectively owning the machine.

This way of operating is not only beneficial in terms of anti-virus evasion, but it also enables the attackers to change the payload at any time by simply altering the JavaScript code that resides on their server. If you followed my previous articles about Vault 7 leak, you probably noticed similarities in these techniques – most importantly, malicious code is downloaded encrypted and decrypted in memory. Malicious code is encrypted on the network and never even touches the disk. This is a big problem to anti-virus vendors, some of which are developing memory scanning functionalities, but I’m not optimistic about it. I’m looking forward to neural networks in anti-virus backstage, that will be very interesting.

Fileless malware often abuses Windows built-in functionalities such as Powershell and most people that get compromised don’t even use those functionalities. No matter what operating system you use, consider disabling services you don’t need.

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *