Fileless Malware Infections
Transcript of Fileless Malware Infections
![Page 1: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/1.jpg)
FileLess MalwareInfections
Malware tricks for PentestersRamon Pinuaga
Bsides Lisbon 2017
![Page 2: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/2.jpg)
2
1) Presentation
2) Real world examples
3) Process• Infection
• Persistence
4) Conclusions
Index
![Page 3: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/3.jpg)
PRESENTATION
![Page 4: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/4.jpg)
4
• Pentester for many, many years.
• Current position: Cybersecurity Audit Manager at PROSEGUR Spain.
• I prefer the offensive side of security.
Who are you?
![Page 5: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/5.jpg)
5
• Malicious code that doesn't need to create or drop regular files on the system.
• Move away from the traditional monolithic malware or pentesting framework.
• For persistence we usually need to leave at least something on the system but we can hide it and make it very small.
What is FileLess Malware?
![Page 6: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/6.jpg)
![Page 7: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/7.jpg)
7
• We have 2 main ways to achieve an infection without files:• Not using malware (or code) at all. E.G. planting a
configuration only backdoor on a system. That way we don’t control the system all the time but we can access it later.
• Using code that never touches disk. In his clear form. For persistence we always need a way to keep at least the first stage of the code on the system.
FileLess or MalwareLess?
![Page 8: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/8.jpg)
8
• Evading Antivirus detection: No file, No scan, No VirusTotal upload.
• Leaving a smaller forensic trail: Less artifacts.
• Difficult environments (hard to upload things).
• Helps in bypassing Application Whitelisting (SRP, Applocker, etc.)
Why FileLess in pentesting?
![Page 9: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/9.jpg)
![Page 10: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/10.jpg)
10
• Long-term persistence.
• Kernel-level access.
• High level hiding.
• Quickness and simplicity: Only userland, No rootkits, No NSA like implants.
Pentest vs APT
![Page 11: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/11.jpg)
DEMO: RDP + Sethc
• Enable remote desktop• Hijack sethc.exe• Change RDP port• Open windows firewall
![Page 12: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/12.jpg)
![Page 13: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/13.jpg)
13
• Keeping all in memory. (Problem: no persistence)
• Storing the code in non-file or non-regular storage (classics):• Outside the filesystem: UEFI, HDD Firmware, Hidden disk
areas, $EA, etc. (We are not going that far, remember; only userland)
• Network / External systems.
• Alternate Data Streams (ADS).
• Registry.
How to keep code without files?
![Page 14: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/14.jpg)
14
• WMI (subscriptions).
• Windows events (.evt).
• Inside Documents (.doc, .xls, .pdf).
• File/Directory names (0-day).
• Environment variables (more 0-day).
Novel non-regular storage
![Page 15: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/15.jpg)
DEMO: Code in filenames
• Stage 1: Run key• Stage 2: Environment• Stage 3: Dir names
![Page 16: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/16.jpg)
![Page 17: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/17.jpg)
17
• Remote injection in memory -> Remote call or exploit.
• Load of remote binaries (EXEs, DLLs) -> Via SMB, WebDAV, etc.
• Scripting languages -> Loaded remotely or from the command line.• PowerShell (Powershell.exe)
• Javascript/Vbscript (Cscript.exe, Wscript.exe, Mshta.exe, Rundll32.exe, Regsvr32.exe).
• .Net assemblies (InstallUtil.exe, IEExec.exe, RegAsm.exe).
How to execute code without files?
![Page 18: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/18.jpg)
18
• Tools already installed on the system (no new files).
• Tools that allow receiving external input (via command line or via the network).
• Bonus: Tools signed by Microsoft.
Our FileLess pentest framework
![Page 19: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/19.jpg)
REAL WORLD EXAMPLES
![Page 20: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/20.jpg)
20
• Worms (memory only):• Slammer.
• Poweliks.
• WMIGhost.
• Empire.
• Duqu 2.0 (Kaspersky).
Real world examples
![Page 21: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/21.jpg)
21
• Worm that infected thousands of computers and impacted general Internet traffic in some areas.
• The worm exploited a buffer overflow vulnerability in Microsoft SQL Server resolution service (1434/UDP).
• Only 376 bytes and fitted into a single UDP packet.
Slammer (2003)
![Page 22: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/22.jpg)
22
• Infection via Word macro (No FileLess).
• Persistence via Autostart registry key (HKLM\Software\Microsoft\Windows\CurrentVersion\Run).
• Minimal first stage: Uses clever rundll32 trick to run Javascript code.
• Next stages also stored in the registry (encoded). Runs PowerShell code.
• PowerShell injects a DLL in another process memory, without touching disk.
Poweliks (2014)
![Page 23: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/23.jpg)
23
Poweliks – Rundll32 trick
![Page 24: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/24.jpg)
24
• Infection via Word macro.
• Dropper and UAC bypass binaries touch disk (not fully FileLess).
• Then it register the permanent and necessary WMI classes: event definition, event filter and event consumer.
• It uses Javascript for payload code in the event consumer active script.
WMIghost (2014)
![Page 25: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/25.jpg)
25
• PowerShell based RAT.
• It tries to be as FileLess as possible.
• Mostly working from memory only.
• Various options for persistent storage: Registry, ADS, Eventlog and of course WMI subscriptions.
Empire (2015)
![Page 26: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/26.jpg)
26
• Unknown infection vector.
• Only a few selected hosts were used for on-disk persistence.
• These hosts injected the malware remotely into other systems memory.
• For this task the malware gained domain administrator privileges and then it deployed MSI packages (via a new service or a scheduled task).
Duqu 2.0 (2015)
![Page 27: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/27.jpg)
![Page 28: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/28.jpg)
28
• First stage: Minimal. Usually a small vbs or js (not directly PowerShell).
• Second Stage: Main script based on PowerShell. More complex and powerful logic that injects a binary into another process.
• Third stage: Binary. Usually a PE DLL payload. More similar to traditional malware, but never touches disk.
Common FileLess behavior
![Page 29: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/29.jpg)
PROCESS
![Page 30: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/30.jpg)
30
• An ideal FileLess pentest operation should cover the following phases:
1. FileLess Infection.
2. Installation of FileLess Backdoors.
3. Gain FileLess Persistence.
Operation Process
![Page 31: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/31.jpg)
31
• Infection without sending any files.
• Not common. Even known FileLess APT operations use some kind of files in this stage.
• Preferably, we need to deliver the exploit before the application layer.• Inside a stream.
• At the lower network layers (e.g. SMB or SSL exploits).
• Open network services (e.g. Eternalblue).
FileLess Infection
![Page 32: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/32.jpg)
32
• Configuration only backdoors (no code).
• Some popular:• Create user + Remote exec (Psexec/Sc, WMI, SchTasks,
WinRM, PSRemoting).
• Binary Image Hijack + Remote Desktop.
• Silver/Golden tickets.
• Proxy + Decrease security.
FileLess Backdoors
![Page 33: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/33.jpg)
![Page 34: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/34.jpg)
34
• First stage: Registry Autostart entries.• Run entries.
• Scheduled tasks.
• Image hijacks.
• WMI.
• Services (not very elegant).
• Usually too noisy! For a human analyst but harder to detect with automated tools because we are not using any files.
FileLess persistence
![Page 35: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/35.jpg)
CONCLUSIONS
![Page 36: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/36.jpg)
36
• Full pentest operations are possible without using any files (or almost).
• We need some “resident” artifacts on the system, but these can be very small and can be easily hidden.
Conclusions
![Page 37: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/37.jpg)
37
• Questions? Comments?
• https://twitter.com/rpinuaga
Thanks
![Page 38: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/38.jpg)
38
• A lot of ideas taken from:• Casey Smith: https://twitter.com/subtee
• Didier Stevens: https://twitter.com/DidierStevens
• Alex Abramov: https://twitter.com/codereversing
• Rob Fuller: https://twitter.com/mubix
• Cneelis: https://twitter.com/Cneelis
• Matt Nelson: https://twitter.com/enigma0x3
• Matt Graeber: https://twitter.com/mattifestation
• James Foreshaw - https://twitter.com/tiraniddo
Previous research
![Page 39: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/39.jpg)
www.prosegur.com
![Page 40: Fileless Malware Infections](https://reader034.fdocuments.net/reader034/viewer/2022042619/5a6506957f8b9a127f8b48a9/html5/thumbnails/40.jpg)
DEMO: Proxy + Authenticode
• Convince the user to execute a .REG file• Configure Proxy• Disable Authenticode validation• Wait for EXE download