Detecting the Undetectable: Spotting Fileless Malware
In this blog, we will explore the concept of fileless malware, why it’s hard to detect, and the techniques and tools that are helpful in detecting fileless malware, highlighting why traditional malware detection methods fall flat on their face.
What is Fileless Malware?
When you think about malware, usually you think about a file that is downloaded/copied onto your system’s storage and can be traced on the disk and detected using signature-based detection. However, this differs with fileless malware, as in general it operates in the system’s memory. There’s no persistent file downloaded onto the disk, which makes it both difficult to find and to remove from the attacked system. So, conventional antivirus programs that rely on hardware scans are ineffective at detecting fileless threats.
Usually, fileless malware is introduced through the common vulnerability in security – the people – via social engineering like phishing emails or malicious weblinks to gain initial access into a system (see Figure 1). Fileless malware relies on building a good understanding of how-to social engineer and target people, making them more likely to click on any links, often posing as employers or a legitimate site. Other delivery methods include clicking onto compromised sites, drive-by downloads, malicious vulnerabilities and exploitation of vulnerable software that hasn’t been patched.
Once they have accessed a system in the memory, it uses harmless processes & programs that are trusted by the OS and are pre-existing to them. They will then cause the intended chaos using those tools; in other words, they live off the land. Things like PowerShell and Windows Management Instrumentation (WMI) and other allowlisted tools are weapons that they can add to their arsenal. The goal of the attacker typically lies within the realms of reconnaissance, accessing sensitive data, causing damage to the system, data theft, espionage or encryption with intent for ransom.
Some examples of fileless malware are:
- Windows Registry Malware/Windows registry manipulation – this is a malware that installs in the Windows registry mainly so it can remain persistent and not trip any alarm bells that would alert a SOC team/security analyst. If they are successful in writing malicious code in the Windows Registry, then it will launch every time the system is turned on (thereby remaining persistent).
- Memory code injection – this is where the malicious code is injected into a trusted program’s memory and runs the processes to execute its payload without creating a new file on the disk.
- Fileless Ransomware – similar to the others, it operates on the disk and uses trusted programs to encrypt files and lock out a victim from their system and data.
- Rootkits – Rootkits can also exhibit fileless malware behaviour by hiding their malicious code in the kernel of an operating system.
Why Fileless Malware is Hard to Detect?
These attacks mimic legitimate processes, which can make them hard to detect. They also use obfuscation methods in their commands and scripts to hide themselves:
- Encoding (for example, Base64)
- Escaped ASCII/Unicode values
- String splitting
- Encryption
- Randomisation
- Data & logic structure obfuscation
- Whitespace
Also, since they can live off the land (often using PowerShell or WMI), it doesn’t necessarily look like malicious behaviour. An analyst must be familiar with the normal/baselined usages of programs. They are also able to leave minimal evidence behind by running only in memory and then cleaning up after themselves by erasing any traces from the memory.
These fileless nightmares can avoid detection by traditional signature-based antivirus solutions since a file doesn’t exist on the disk (it avoids the use of a file system). Therefore, one way to detect it is to run a deep dive analysis in the memory, identifying malicious patterns. Security teams will need to have network events and logs of security tools to thoroughly examine this attack.
Techniques to Avoid Infiltration
Forget about IOCs, sandboxing, allowlisting, or any signature-based method of detection; these will be of no use to you for fileless malware detection. Instead, look to Indicators of Attack (IOAs); look for any code executions, lateral movements, scripts running in memory, unexpected DNS requests to domains, beaconing to C2 servers (you can use the tool RITA to help identify these patterns), command log checking, abnormal process checking, or unusual network traffic. An example of a tool that will help with real-time process checking is the Process Explorer, which can help you detect abnormal or malicious processes that are running.
The ways that have been identified are by monitoring the following event IDs (not exhaustive):
| Event ID | Event ID Summary | Event Source |
| 4688 | This monitors a new process that has been created; what is needed is a rule or monitoring mechanism that will alert in all new processes that are created that have the parent process of PowerShell. You can also couple this with monitoring of the command-line arguments that look unusual or suspicious (assuming you have baselined the rules). e.g., powershell.exe -enc <Base64 Encoded Command> You can also look for any suspicious keywords in the process command like: -enc, bypass, invoke-expression, downloadfile which can further suggest a malicious process being started. | |
| 7040 | We previously discussed persistence and how an attacker will try to establish it so that their malicious service will run after every system restart. This can be done by changing a service from disabled/demand to auto-start. So, by monitoring this Service Control Manager event ID we can see services that restart automatically after a reboot. | Service Control Manager |
| 4698 | This logs any scheduled task created. This would be good to baseline and monitor within a SIEM platform as attackers can set scheduled task to gain persistence of the attack. | Windows Security Log |
| 4657 | This monitors whether a registry value was modified (creation, modification and deletion of registry values). It is useful to monitor specifically for changes to registry keys such as: Run Keys (for auto-starting applications): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Services (for maintaining persistence at system level): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services | Windows Security Log |
| 10148 | This event ID is a WinRM service that listens for WS-Management requests and is logged when the system has restarted where it is applicable that remoting has been enabled. It is important to monitor if WinRM is unexpectedly turned on and if the IP addresses it is communicating with is malicious. | WinRM, WS-Management |
Top Tools for Detecting Fileless Malware
Memory Forensics Tools:
We can use memory forensic tools that are good at detecting fileless malware, so you can open up a sandbox (for example, Cuckoo Sandbox) and simulate the initial infection process and activate the following tools to capture and analyse the memory:
- Volatility – a Python-based tool that helps a security team pull information from the memory dumps, like process information, registry keys, network connections, and other useful information for malware detection.
However, some advanced malwares can detect that they are running in a Sandbox and will completely shut themselves down.
Disk & Memory Imaging Tools:
You can also use disk & memory imaging tools in a forensic investigation once an attack has been identified and you want to prove how it occurred:
- FTK Imager – this tool can create disk and memory images; it captures the running processes and data in the RAM, creating the perfect snapshot. This tool is usually used in post-infection investigations, as it can help forensic analysts to see hidden processes or modified registry keys.
- Magnet RAM Capture – this tool is similar to FTK Imager and captures a snapshot.
Key Takeaways
The key takeaways from this article are the following:
- Fileless malware operates by taking advantage of trusted and allowlisted programs and works in the memory. This means that we needed to change the way we looked at detection and moved away solely from an IOC-based methodology to a mixture of IOC and IOA methodology. Look for things like abnormal process execution (this does require you to baseline and understand what normal is within your environment), beaconing behaviour (tools like Rita can be useful for this detection), and suspicious command-line arguments.
- There are a bunch of useful event IDs (e.g., from Windows) that can be collected, funnelled into a SIEM, and made into alerts. Things like scheduled tasks can be monitored and checked to see if they are expected behaviour or not.
- While detection is necessary, prevention is also a key pillar in security. To do this scheduled patching, robust firewalls or network segmentation are important. Reducing the attack surface is always key to keeping your network safe from the evils that are the attackers.
- Finally, there are a bunch of tools that can be used for detection and forensics that will analyse the memory.
-
I have worked with IP-Performance for over 20 years and have always found them to be knowledgeable, helpful, prepared to go above and beyond and always right on the edge of modern technology and trends. So, when they suggested we might want to let them do an internal security audit, we jumped at the chance and the results were nothing short of jaw droppingā¦ I would recommend anyone take a look at their portfolio, even if you think you have all your security bases coveredā¦ Trust me, you havenāt. I would recommend the portfolio, and anything that IP-P do to anyone across the industry. The breadth of what they cover is astounding.
David Brazewell, Technical Director,
QubeGB Ltd.
