|
fileless malware
Hi all
fileless malware are on the rise (see latest Duqu), because thanks to some powershell tricks anyone can write them easily. The learning curve for a fileless malware is now extremely low. In the past you had to, at least, implement a dll-in-memory loader (I wrote one tutorial about this few years ago, you can find it around "Loading_a_DLL_from_memory_Shub-Nigurrath_v12.rar"). Duqu rise: https://www.schneier.com/blog/archives/2017/02/duqu_malware_te.html Some frameworks to create similar payloads ... https://github.com/Genetic-Malware/Ebowla it's a Framework for making Environmental Keyed Payload with reflective DLL, ShellCode, Powershell.. https://github.com/byt3bl33d3r/CrackMapExec its an Opsec safe for pentesting Windows/Active Directory environment .. https://github.com/n1nj4sec/pupy a RAT written in Python then cross-platform, with a very low footprint https://github.com/EmpireProject simply a Powershell post-exploitation agent. Shub |
How do you solve persistence in fileless malware though?
If you rely on some non public exploits ideally you want to run them the least amount of times possible to give reverse engineers the smallest feasible window into your exploits. IIRC duqu infected high uptime devices (servers / firewalls etc) to reinfect the main target and while with the advent of IOT devices there's more and more of those to bounce your infection vector off of I still think that the persistent threat that standard malware offers is more suited for the non corporate target where you can't rely on the foothold that high uptime devices give you. |
Actually if I remember correctly, a few years back some guys found bug in windows driver, and managed to store whole exploit/shellcode in wrongly parsed registry key (which driver parsed during boot). This could count as fileless persistent code :)
I don't remember who did it, or how article or poc was named. Was long time ago, if somebody remembers would be awesome to post link :) |
Persistence in registry is quite common - e.g. in one of the auto-run entries which respawn the code after reboot (via a common system module and some javascript code which itself is only in registry).
(Now since the registry hive is also on disk, you could argue that it's not a real fileless malware, but that's just terminology :-)) |
Yes but then you loose the point of AVT (as all the fancy people in the industry call itt) in the first place, you don't want to leave a footprint on disk to make forensics harder.
|
Slammer worm comes to my mind, they didn't call it AVT back then, but I suppose, as you mentioned, you need fancy names nowadays :D
|
Afaik metasploit has been doing exploit to in memory agent for a while, it's an interesting subject I really think it's main value of residing only in memory is the fact that you can stay undetected if your ex-filtration methods are good enough. (malformed dns queries to a server you own with a short domain name, 255 octets minus your domain name + request type for example.)
|
Hi,
the monetization of attacks is nowadays a matter of few minutes. Usually highly targeted phish champains last for 20 minutes or even less. This time window is, in most of the cases, enough to collect a first round of victims (usually quite high, around 15%) that can be used to prepare a second even more targetized round. This is the way the enterprises are hit by highly targeted attacks and a fileless malware is perfect for these situations: 1. a phish mail (built using the correct mix of social engineering and memetics, to be *really* effective) 2. the mail points to a fake web site (or a trampoline through defaced hosts) that runs on a fast-flux IP for very few minutes 3. the page fingerprints the browser and delivers an ad-hoc fileless malware (crafted in realtime by a malware forgery), that contains a payload encrypted enough well (usually two custom encryptions is enough) to use, not an original development, but even a metasploit engine. 4. the payload is decrypted in a fileless system, bang, done. You can use anythings ranging from droppers, metasploits, AutoIt, ... Persistence is not an issue anymore in several situations. Btw, the only reason for speaking of fileless malware today is that the knowledge level required to do one has been decreased by the adoption of powershell and by the development of some frameworks (see my first post). Less cumbersome to write, more samples spreading around. The perfect solution for today's attacks, this is the essence of what the reports says ... ;-) |
In fact there are multiple methods to keep the file portion to persist across reboots. Some of the ways tried for POC were:
- Writing beyond the partition boundaries - Writing in between the partition spaces and they do not get scanned using any of the file system scanners, but nevertheless, there needs to be a driver which will load portions of the malware from the unreadable locations and it needs to exist on the normal file system. With the advancement in the file-less method and combining it with the older, known rootkit techniques, it is still possible to create a malware than can persist yet undetectable. |
Quote:
Poweliks: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3377 Kovter: https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update Phase: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3628 |
| All times are GMT +8. The time now is 09:47. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX