Attack Trend: Fileless Malware

Friday, April 24, 2015 @ 05:04 PM gHale

Improvements in security file scanners are causing malware authors to get creative and deviate from the norm.

Antivirus and security scanners have gotten too smart for the tried and true malware methods of dropping copies to a location specified in the malware code and using persistence tactics like setting up an autostart feature to ensure that they continue to run.

Ransomware Focuses on Outdated Plug-Ins
Malware Goes Invisible
New Ransomware Hits the Street
Destructive Hacks Growing

That is where a new malware called Phasebot comes into play. It uses a fileless infection as part of its routine. Fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and ends up written directly to RAM.

“Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive,” said Trend Micro Threat Response Engineer Michael Marcos in a blog post.

Phasebot’s detection evasion tactics include rootkit capabilities, encryption of communications with its C&C server by using random passwords, virtual machine detection.

“Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs,” Marcos said.

The malware also sports an external module loader, which allows it to add and remove functionalities on the infected computer.

“We think Phasebot is interesting because of is its use of Windows PowerShell, a legitimate, built-in Windows system administration tool, to evade detection from security software. It uses PowerShell to run its components that are hidden in the Windows registry,” he said.

“Using Windows PowerShell can also be seen as strategic because this tool is included in the initial installation packages of Windows OS versions 7 and higher. And since more users have computers that run on Windows 7 and higher, cybercriminals have a bigger net of potential victims.”

The fact most security solutions have trouble detecting fileless malware, and that it’s also difficult to remove, it is possible to see more of this code coming down the road.

Leave a Reply

You must be logged in to post a comment.