EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-18-2017, 00:17
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 777
Rept. Given: 42
Rept. Rcvd 390 Times in 85 Posts
Thanks Given: 10
Thanks Rcvd at 46 Times in 16 Posts
Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399
fileless malware

Hi all
fileless malware are on the rise (see latest Duqu), because thanks to some powershell tricks anyone can write them easily. The learning curve for a fileless malware is now extremely low.
In the past you had to, at least, implement a dll-in-memory loader (I wrote one tutorial about this few years ago, you can find it around "Loading_a_DLL_from_memory_Shub-Nigurrath_v12.rar").

Duqu rise: https://www.schneier.com/blog/archives/2017/02/duqu_malware_te.html

Some frameworks to create similar payloads ...

https://github.com/Genetic-Malware/Ebowla it's a Framework for making Environmental Keyed Payload with reflective DLL, ShellCode, Powershell..
https://github.com/byt3bl33d3r/CrackMapExec its an Opsec safe for pentesting Windows/Active Directory environment ..
https://github.com/n1nj4sec/pupy a RAT written in Python then cross-platform, with a very low footprint
https://github.com/EmpireProject simply a Powershell post-exploitation agent.

Shub
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
The Following 6 Users Say Thank You to Shub-Nigurrath For This Useful Post:
foosaa (02-20-2017), Nacho_dj (02-19-2017), niculaita (02-18-2017), Rigel (02-18-2017), TechLord (02-18-2017), tonyweb (02-18-2017)
  #2  
Old 02-18-2017, 09:35
H4vC H4vC is offline
Friend
 
Join Date: Jan 2017
Posts: 25
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 18 Times in 9 Posts
H4vC Reputation: 1
How do you solve persistence in fileless malware though?
If you rely on some non public exploits ideally you want to run them the least amount of times possible to give reverse engineers the smallest feasible window into your exploits.
IIRC duqu infected high uptime devices (servers / firewalls etc) to reinfect the main target and while with the advent of IOT devices there's more and more of those to bounce your infection vector off of I still think that the persistent threat that standard malware offers is more suited for the non corporate target where you can't rely on the foothold that high uptime devices give you.

Last edited by H4vC; 02-18-2017 at 09:45.
Reply With Quote
  #3  
Old 02-19-2017, 04:03
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 212
Rept. Given: 10
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 6
Thanks Rcvd at 17 Times in 8 Posts
deroko Reputation: 30
Actually if I remember correctly, a few years back some guys found bug in windows driver, and managed to store whole exploit/shellcode in wrongly parsed registry key (which driver parsed during boot). This could count as fileless persistent code

I don't remember who did it, or how article or poc was named. Was long time ago, if somebody remembers would be awesome to post link
__________________
http://accessroot.com
Reply With Quote
The Following 2 Users Say Thank You to deroko For This Useful Post:
Nacho_dj (02-19-2017), tonyweb (02-19-2017)
  #4  
Old 02-19-2017, 17:25
gigaman gigaman is offline
Friend
 
Join Date: Jun 2002
Posts: 76
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
gigaman Reputation: 3
Persistence in registry is quite common - e.g. in one of the auto-run entries which respawn the code after reboot (via a common system module and some javascript code which itself is only in registry).
(Now since the registry hive is also on disk, you could argue that it's not a real fileless malware, but that's just terminology :-))
Reply With Quote
  #5  
Old 02-19-2017, 17:35
H4vC H4vC is offline
Friend
 
Join Date: Jan 2017
Posts: 25
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 18 Times in 9 Posts
H4vC Reputation: 1
Yes but then you loose the point of AVT (as all the fancy people in the industry call itt) in the first place, you don't want to leave a footprint on disk to make forensics harder.
Reply With Quote
  #6  
Old 02-19-2017, 18:24
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 212
Rept. Given: 10
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 6
Thanks Rcvd at 17 Times in 8 Posts
deroko Reputation: 30
Slammer worm comes to my mind, they didn't call it AVT back then, but I suppose, as you mentioned, you need fancy names nowadays
__________________
http://accessroot.com
Reply With Quote
  #7  
Old 02-20-2017, 08:23
H4vC H4vC is offline
Friend
 
Join Date: Jan 2017
Posts: 25
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 18 Times in 9 Posts
H4vC Reputation: 1
Afaik metasploit has been doing exploit to in memory agent for a while, it's an interesting subject I really think it's main value of residing only in memory is the fact that you can stay undetected if your ex-filtration methods are good enough. (malformed dns queries to a server you own with a short domain name, 255 octets minus your domain name + request type for example.)
Reply With Quote
  #8  
Old 02-20-2017, 17:42
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 777
Rept. Given: 42
Rept. Rcvd 390 Times in 85 Posts
Thanks Given: 10
Thanks Rcvd at 46 Times in 16 Posts
Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399
Hi,
the monetization of attacks is nowadays a matter of few minutes. Usually highly targeted phish champains last for 20 minutes or even less. This time window is, in most of the cases, enough to collect a first round of victims (usually quite high, around 15%) that can be used to prepare a second even more targetized round.

This is the way the enterprises are hit by highly targeted attacks and a fileless malware is perfect for these situations:
1. a phish mail (built using the correct mix of social engineering and memetics, to be *really* effective)
2. the mail points to a fake web site (or a trampoline through defaced hosts) that runs on a fast-flux IP for very few minutes
3. the page fingerprints the browser and delivers an ad-hoc fileless malware (crafted in realtime by a malware forgery), that contains a payload encrypted enough well (usually two custom encryptions is enough) to use, not an original development, but even a metasploit engine.
4. the payload is decrypted in a fileless system, bang, done. You can use anythings ranging from droppers, metasploits, AutoIt, ...

Persistence is not an issue anymore in several situations. Btw, the only reason for speaking of fileless malware today is that the knowledge level required to do one has been decreased by the adoption of powershell and by the development of some frameworks (see my first post). Less cumbersome to write, more samples spreading around.

The perfect solution for today's attacks, this is the essence of what the reports says ... ;-)
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com

Last edited by Shub-Nigurrath; 02-20-2017 at 17:48.
Reply With Quote
  #9  
Old 02-20-2017, 19:17
foosaa foosaa is offline
Friend
 
Join Date: Dec 2005
Posts: 57
Rept. Given: 34
Rept. Rcvd 10 Times in 8 Posts
Thanks Given: 43
Thanks Rcvd at 36 Times in 10 Posts
foosaa Reputation: 10
In fact there are multiple methods to keep the file portion to persist across reboots. Some of the ways tried for POC were:
- Writing beyond the partition boundaries
- Writing in between the partition spaces
and they do not get scanned using any of the file system scanners, but nevertheless, there needs to be a driver which will load portions of the malware from the unreadable locations and it needs to exist on the normal file system. With the advancement in the file-less method and combining it with the older, known rootkit techniques, it is still possible to create a malware than can persist yet undetectable.
Reply With Quote
  #10  
Old 02-23-2017, 07:21
klvgen klvgen is offline
Friend
 
Join Date: Feb 2017
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 0 Times in 0 Posts
klvgen Reputation: 0
Quote:
Originally Posted by deroko View Post
Actually if I remember correctly, a few years back some guys found bug in windows driver, and managed to store whole exploit/shellcode in wrongly parsed registry key (which driver parsed during boot). This could count as fileless persistent code

I don't remember who did it, or how article or poc was named. Was long time ago, if somebody remembers would be awesome to post link
The most famous fileless persistance was done by Poweliks, then by Kovter, and then by malware named Phase.

Poweliks: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3377

Kovter: https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update

Phase: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3628
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware block fetcher Storm Shadow Source Code 0 04-11-2016 06:23


All times are GMT +8. The time now is 04:13.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX