Threat Hunting For Fileless Malware

What are 'fileless' attack techniques and how to hunt for them...

Posted on 11 April 2017

'Fileless' attack techniques have been used in the wild for years, yet due to the low detection rates from traditional security mechanisms its popularity appears to be increasing. The term fileless is being used to describe attacks aiming to stay in memory, make use of legitimate binaries or avoid traditional persistence techniques.

 

Poweliks is an example of such malware that made an appearance early August 2014 as the first persistent and almost completely fileless malware, achieving this by running in memory and residing only in the Windows registry, without writing any files to disk. This technique proved effective at evading Anti-Virus detection and it wasn't long before other malware such as Kovter (around since 2013) adopted it, increasing the threat from click-fraud malware to having Trojan capabilities. Due to the low detection rates from traditional Anti-Virus solutions, infections of such malware have successfully continued and the fileless approach is being increasingly adopted by attackers to improve stealth.

 

Are fileless attack techniques really stealthy?

 

Remaining with Poweliks and Kovter as an example, there are various threat-hunting use-cases which can be used to detect such malware. A particular sample seen by Countercept exhibited the following high-level behavior:

Cuckoo ProcessTree countercept threat hunting

1) The malware adds an entry in the following Windows registry path for persistence. It uses non-ASCII characters for the key’s name in an attempt to hide the key from most tools, including Regedit, which are unable to read them.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

registry path persistence Countercept Threat hunting

2) The malware executes the encoded JavaScript from the registry via PowerShell which drops a malicious DLL.

EncodedJavaScript Countercept threat hunting

3) The malicious DLL is injected into dllhost.exe process

analytics reflectiveload Countercept threathunting

windbg mz countercept threat hunting

windbg address countercept threat hunting

To read more about DLL Injection download the Countercept Memory Analysis whitepaper -  https://countercept.com/our-thinking/memory-analysis-whitepaper/ 

 

By analyzing the individual process, their parent/child relationships, their arguments as well as their in-memory behavior, several threat-hunting use-cases can be generated.

 

  • RunDLL process launching Powershell process
  • Powershell process launching DLLHost process
  • RunDLL process with Javascript arguments
  • RunDLL process referencing the Registry
  • Powershell with Invoke Expression arguments
  • Powershell with Environment Variable arguments
  • DLLHost with evidence of a reflectively loaded DLL in-memory

 

Any one of these use-cases, together with further analysis techniques such as least frequency analysis as a form of anomaly detection, has the potential to reduce your process data sets to acceptable human analysis levels. This is evidence that the increasingly popular fileless techniques are not actually that stealthy. In addition, the fact that this technique seems to rely on injecting into another process increases its chances of detection using memory analysis.  In fact, we consider these techniques to often be easier to detect than hide-in-plain-sight approaches.

 

The data sets can be reduced even further using a combination of use-cases - or all of them if suitable. The more use-cases that are combined, the higher the accuracy for detection of the specific infection or variant. However, the art of threat hunting arguably lies in the ability to combine use-cases gathered from constant research and generation of hypotheses, and feeding them back into your threat-hunting model. This allows for detection of much more generic attack techniques as opposed to specific malware traits, allowing you to uncover compromises regardless of if they have been seen before or not.