'Fileless' attack techniques have been used in the wild for years, yet due to the low detection rates from traditional security mechanisms its popularity appears to be increasing. The term fileless is being used to describe attacks aiming to stay in memory, make use of legitimate binaries or avoid traditional persistence techniques.
Poweliks is an example of such malware that made an appearance early August 2014 as the first persistent and almost completely fileless malware, achieving this by running in memory and residing only in the Windows registry, without writing any files to disk. This technique proved effective at evading Anti-Virus detection and it wasn't long before other malware such as Kovter (around since 2013) adopted it, increasing the threat from click-fraud malware to having Trojan capabilities. Due to the low detection rates from traditional Anti-Virus solutions, infections of such malware have successfully continued and the fileless approach is being increasingly adopted by attackers to improve stealth.
Are fileless attack techniques really stealthy?
Remaining with Poweliks and Kovter as an example, there are various threat-hunting use-cases which can be used to detect such malware. A particular sample seen by Countercept exhibited the following high-level behavior:
1) The malware adds an entry in the following Windows registry path for persistence. It uses non-ASCII characters for the key’s name in an attempt to hide the key from most tools, including Regedit, which are unable to read them.
3) The malicious DLL is injected into dllhost.exe process
To read more about DLL Injection download the Countercept Memory Analysis whitepaper - https://countercept.com/our-thinking/memory-analysis-whitepaper/
By analyzing the individual process, their parent/child relationships, their arguments as well as their in-memory behavior, several threat-hunting use-cases can be generated.
- RunDLL process launching Powershell process
- Powershell process launching DLLHost process
- RunDLL process referencing the Registry
- Powershell with Invoke Expression arguments
- Powershell with Environment Variable arguments
- DLLHost with evidence of a reflectively loaded DLL in-memory
Any one of these use-cases, together with further analysis techniques such as least frequency analysis as a form of anomaly detection, has the potential to reduce your process data sets to acceptable human analysis levels. This is evidence that the increasingly popular fileless techniques are not actually that stealthy. In addition, the fact that this technique seems to rely on injecting into another process increases its chances of detection using memory analysis. In fact, we consider these techniques to often be easier to detect than hide-in-plain-sight approaches.
The data sets can be reduced even further using a combination of use-cases - or all of them if suitable. The more use-cases that are combined, the higher the accuracy for detection of the specific infection or variant. However, the art of threat hunting arguably lies in the ability to combine use-cases gathered from constant research and generation of hypotheses, and feeding them back into your threat-hunting model. This allows for detection of much more generic attack techniques as opposed to specific malware traits, allowing you to uncover compromises regardless of if they have been seen before or not.