Facebook Tracking
March 24, 2019

The Evolution Of Malware Fileless Exploits

Category: Blog

But much like in the evolution of species, where animals adapt to outwit their predators, bad actors have evolved their techniques so that they leave no trace for the hunter to follow.

Fileless exploits are carried out by malware that operates without placing malicious executables on the file system.

I may be showing my age as I recall the days when malware was primarily spread by depositing infected files on a computer system. This spawned the antivirus software industry, whose basic technique was to scan your disks and sniff around your system for files containing signatures identifying them as malicious entities. Analogous to our living world, antivirus software became the predators hunting down malware like prey before they could cause lasting damage to our systems, our networks, our companies, and even our countries.  

But much like in the evolution of species, where animals adapt to outwit their predators, bad actors have evolved their techniques so that they leave no trace for the hunter to follow.

Fileless exploits are carried out by malware that operates without placing malicious executables on the file system.

Tools that are built into the operating system like Powershell and WMI (Windows Management Instrumentation) are hijacked by attackers and turned against the system. The fact that these are critical legitimate programs makes them highly undetectable by traditional malware detection engines, and they require careful monitoring and analysis to hone in on their activities. 

A quick search in Google Trends shows that "fileless malware" entered into our lexicon in early 2017, and it is definitely here to stay. While its popularity is recent, as a technique it has been around for a long time.

In the early 2000s, the Code Red worm exploited a buffer-overflow vulnerability in Microsoft IIS web servers, spreading to around 360,000 computers in just 14 hours. The initial Code Red​ exploit did not persist through a reboot of the system. However, subsequent incarnations found ways to install remote, root-level access to the infected machines. Over the last two decades, bad actors have become much more sophisticated. Two of the recent major ransomware outbreaks (Petya and WannaCry) used fileless techniques as part of their kill chains, and it is clear that, as a malware technique, fileless exploits are getting a lot of attention these days. 

There are a few different fileless exploit techniques and they can be categorized as follows:

Memory exploits

A common strategy for fileless exploits is to find a vulnerability in a system service and exploit it to deposit code into a running process. The Eternal Blue Exploit, variants of which were used by both Petya and Wanna Cry, takes advantage of a vulnerability in Windows SMBv1 (Server Message Block) file sharing protocol. The bug results in the mishandling of specially crafted packets from an attacker, allowing them to deposit code into memory and then execute this code on the target. Despite the fact that Microsoft has released patches for this vulnerability, there are still millions of systems out there that are unpatched, leading to hundreds of millions of dollars in damages. AttackIQ’s platform allows you to run this attack in a safe manner on your Windows systems using the following scenario: Lateral Movement through Execution

Reflective DLL injection

Another way to execute code placed in memory is by linking it to a running process. DLL (Dynamically Linked Library) is a mechanism to share a library across multiple processes at run time. Used maliciously, it provides attackers the ability to run their code in the context of another legitimate running process. The malicious DLL can be downloaded into memory from a remote attacker-controlled machine and dynamically linked to a bonafide process. This evades any monitoring program that may be keeping track of the loading of executable modules on your system. An example of malware that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha. If you are curious to see if your security controls can detect this exploit, you can run a safe attack using the “Execute Mimikatz by reflectively loading DLL in PowerShell” scenario from AttackIQ.

Persistence techniques

Writing code into memory and executing it is half the battle, but for long-lasting impact, the attackers need malware to persist after a reboot of the system. They accomplish this by hooking into system management tools and utilities so that they can be regularly invoked and used to hide from the watchful eyes of security monitoring tools. Windows systems have WMI (Windows Management Instrumentation) built into the OS to allow administrators to manage the system, both remotely and locally. WMI provides the ability to install event filters that execute code when a particular event occurs. Bad actors use this capability to subscribe to an event and execute malicious code when that event occurs, providing persistence after a reboot. You can find more details about WMI and how it can be used for persistence in the Black Hat paper “Abusing WMI to build Persistent, Asynchronous, and Fileless Backdoor.” Better still, you can experiment with your system to evaluate if you can subscribe to WMI events and execute scripts through AttackIQ's “Execute WMI Command” scenario. 

Script Based techniques

If you are a purist, you are probably thinking that scripts reside in files; does this technique really belong here? However, these scripts can be embedded in benign files like Word documents, further obfuscating them to keep them hidden from traditional malware detection agents. Last year, security researchers from Proofpoint uncovered a weaponized document building service to create malicious Microsoft Office Documents. They called it LCG kit, as it uses polymorphic shellcode and a Linear Congruential Generator to encrypt the final stage of the code and its location. This kit seems to be popular among many different cybercriminal groups in email campaigns involving thousands of malicious email messages. You can check out if your system is able to download one of these infected documents in a safe manner using the LCG Kit scenario from AttackIQ. 

That’s all for this week and to all my fellow cyber predators out there, Happy Hunting!
Vinod Peris, Vice President of Engineering, AttackIQ


Tags: cyber , security instrumentation platform , environmental drift , chain , security instrumentation , advanced-modules-operationalizing-sip , environmental-drift-detection , validation , sip , team resources blog , security-tool , critical business function , continuously validate effectiveness , protect shareholder value , correctly handling events , security , 2019 cybersecurity predictions , controls effectiveness optimize , dell resets user passwords , rationalize , business platform , supply , newsroom events partners join , exploits , fileless , cyber risk , latest blog post

About the Author

Vinod Peris
VP of Engineering, AttackIQ