본문 바로가기

malware

Without a Trace: Fileless Malware Spotted in the Wild

728x90

With additional analysis from David Agni

Improvements in security file scanners are causing malware authors to deviate from the traditional malware installation routine. It’s no longer enough for malware to rely on dropping copies of themselves to a location specified in the malware code and using persistence tactics like setting up an autostart feature to ensure that they continue to run. Security file scanners can easily block and detect these threats.

A tactic we have spotted would be using fileless malware. Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM of being installed in target computer’s hard drive. POWELIKS is an example of fileless malware that is able to hide its malicious code in the Windows Registry. These use a conventional malware file to add the entries with its malicious code in the registry.

In August 2014, POWELIKS’s evasion techniques and use of Windows PowerShell were observed as a potentially dangerous tool for future attacks.

The success of the fileless infection technique—evident in the spike of POWELIKS infections in late 2014—has convinced other malware writers to jump on the bandwagon. We found another notable malware that have fileless infection as part of their routines.

Phasebot, Arising From Solarbot

Another example of fileless malware is “Phasebot,” which we found being peddled in websites that sell malware and other malicious online tools. We detect Phasebot as TROJ_PHASE.A. Phasebot contains both rootkit and fileless execution capabilities.

We noticed that this malware had the same features as Solarbot, an old bot that was first seen in the wild around late 2013. This is made more evident when we compared the sites that sold the two malware.


Figure 1. Comparison between the websites for Solarbot (top) and Phasebot (bottom)

Phasebot can be seen as the newer version of Solarbot. While it has the same features as Solarbot, it also comes with additional features like virtual machine (VM) detection and an external module loader. The latter feature gives the malware the capability to add and remove functionalities on the infected computer.

Compared to Solarbot, Phasebot places a distinct emphasis on stealth and evasion mechanisms. It encrypts its communications to its C&C server by using random passwords each time it connects to the server.

The malware was designed to check if the following programs are installed in the affected system:

  • .NET Framework Version 3.5
  • Windows PowerShell


Figure 2. Phasebot queries registry entries to find specific programs

Both of these programs are integrated into current versions of Windows. After verifying that the affected system have these programs, Phasebot creates the following registry key where the encrypted shell code will be written:

  • HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{Bot GUID}

It creates Rc4Encoded32 and Rc4Encoded64 registry values where it will save the encrypted 32-bit and 64-bit shell code. Lastly, it creates another registry value named JavaScript that will decrypt and execute the Rc4Encoded32/64 values.


Figure 3. Rc4Encoded32 and Rc4Encoded64 registry values

If the programs are not found in the system, Phasebot drops a copy of itself in the %User Startup% folder. It then hooks APIs to achieve a user-level rootkit that makes the file hidden from a typical end- user. It hooks theNtQueryDirectoryFile API to hide the file and hooks NtReadVirtualMemory to hide the malware process.

Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs.

Phasebot and PowerShell

We think Phasebot is interesting because of is its use of Windows PowerShell, a legitimate, built-in Windows system administration tool, to evade detection from security software. It uses PowerShell to run its components that are hidden in the Windows registry.

Using Windows PowerShell can also be seen as strategic because this tool is included in the initial installation packages of Windows OS versions 7 and higher. And since more users have computers that run on Windows 7 and higher, cybercriminals have a bigger net of potential victims. (And not coincidentally, the targeted .NET framework version 3.5 is also found in Windows 7 and higher.)

The Future with Fileless Malware

We expect that more malware writers will soon be adopting and adapting the fileless concept. It’s highly possible that they will not limit themselves to simply using the Windows registry to hide their malware. They will also use other, sophisticated techniques to run malicious routines without having to drop a file into the affected system.

The emergence of fileless malware can be a serious threat to users who are not familiar with this type of infection. Users are often advised to look for suspicious files or folders, but not in places like the Windows registry, which is used for fileless infection.

The move to fileless malware also poses a challenge for security vendors, especially those that rely heavily on file-based detection. Security vendors will have to step up their game and go beyond the usual, traditional file-based detection and venture into other methods such as behavior monitoring.

Because fileless malware are hard to detect, they’re also difficult to remove. Much like rootkits, the location of the malware makes detection and deletion more difficult than the typical malware infection.

Trend Micro solutions

Fileless malware is designed to make detection by security solutions more difficult. To combat this, Trend Micro endpoint solutions such as Trend Micro™ SecurityOfficeScan, and Worry-Free Business Security include behavior monitoring to detect this type of malware; this watches out for malicious behavior and blocks the malware before the behavior is executed or performed. This protects users even before a new pattern is available.

Users need to keep themselves updated of the new technologies being used by malware writers to evade detection and to victimize users. Conventional wisdom is no longer sufficient if users want to truly protect themselves from the latest threats.

Of course, any information about the threat landscape should be complemented with safety practices. For example, users should always be cautious when dealing with emails, files, or URL links. It pays to double-check or confirm the safety of these items before opening or clicking them. Users can also opt to use the Trend Micro Site Safety Centerto check if websites are safe before they visit them.

Hashes of the related files:

  • 100d0d0286b536951af410116ec9de7bcb27bd8a
  • 181a018652de15b862df4ccac4189ced00a4a35e
  • 291528630bc5e69a0ea5ab23cd56c13da1780a22
  • 3a9ebe71b21209335d094385f8845ec745a12177
  • 3cec86976816e62f978572f22dd6692efda6e574
  • 46d47ba7ad687527392304813a1ca68669ecfb5e
  • 475a182e7ca538a697f76ff8031c2407e1f98824
  • 4791067a88333f4b9ad67449152f168a29b4a684
  • 52efb07af3a1c05d777000c8af2e2f71ae983041
  • 592ac60ee3c3f34d7e77f3ff25a9216c461db169
  • 6c6c443afc7b3d385aded4a75df680a62e9f6232
  • 6cb74b4e309d80efbe674d3d48376ee1f7e2edda
  • 76f934e162405ac4c39bcac2af998b00eaaee756
  • 7b5eec8c1e3f08f3a54477a6a81b6bd5e8aa53b2
  • 891989a3b78a52da247c8e2c33e88760c16b9113
  • 8d54c588b1f199fcef28c4d6eba3c88421476565
  • b57288f641cc5f25d74ff45c06a5ff0e1114e627
  • bdc2d54e765802dc093a9ec37d53299f800b0b18
  • c184bbecee796cbf6f1f200ca37108aaf4397368
  • c4d2f6de337dc64be5fd5e09480ac4d6096ee5ed
  • d9a0f101bddb7e46e4dcff75ab93a8266b91a618
  • fe77578097fb5532a0702cae67a199a73480a218
728x90