There
is a lot of discussion lately about 'fileless malware', also referred
to as 'living off the land', 'memory only', or 'non-malware attacks' . I do
not necessarily agree with this simplistic classification and feel we
need to expand what we are calling these attacks to better understand
the attack, and thus better detect and defend against them.
Cylance recently put out an article that listed a 'fileless malware attack chain', below is their "Malware Attack Chain" from the article:
Being
a defender that spends most of the time performing detection and
response duties, I would like to suggest some new concepts to better
separate what malware today is doing versus generically calling it
'fileless' which is misleading and does not help us understand the
method of the attack, which would also help us detect and defend against
them, which is the ultimate goal.
I
would like to introduce a new "Malware Archaeology Malware Attack Chain" to incorporate the
new proposed concepts. Let's start with the word malware, which is
meant to stand for 'malicious software'. Let's take this term and
modernize it to reflect the evolution of today's malware by aligning it
to the ways we would detect and defend against what the malwarians are
doing within the attack, whatever type of malware used, which includes
the fileless component.
So
what do the vendors mean when they say 'fileless malware'? Well, I
think this may vary by vendor and researcher, but generally it is meant
to indicate that once a system is fully infected, there are no files
remaining on disk that can be found while the system is running and the
malware is active.
We
should consider that there is more to an infection than the final
infected state, because there is! The stages or ways the system is
infected and persists should be the focus to better detect and respond,
and perform more focused Incident Response.
Let's
take a typical malware infection and walk through the steps or stages
of the infection. We will use a an attack that was received via email,
like the above Cylance article used.
- Email received and opened
- User double clicks an attachment or downloads a file via a URL in the email
- The system gets infected executing all the needed steps by downloading any needed files
- Executing the malware components
- Adding, changing or deleting files
- Creating some form of persistence on the system
- Running Malware behavior
- Re-Infection after a reboot
- Re-Infection behavior
- Network behavior
Now
let's give names to some of these steps so we can define what they are
and how they can vary to include a "fileless" type of malware infection.
How
about the delivery method, in this case Email. How about to better
know the method of attack delivery something more descriptive like;
- EmailWare
- URLWare, or WebWare
Once
the download has begun there are many things that happen, starting with
the way the infection is delivered, downloaded and initially executed.
How about we call this stage;
- InfectWare
This
would include how the system initially gets infected including the
noise made that properly configured logs would capture. Whether it used
built-in utilities, initial executions of binaries, file and
registry changes, and everything that can be detected during the initial
infection, the logs could capture it. This can include, as some fileless malware reports mention,
the dropping, execution and deletion of files. Which to me negates the generic term calling it 'fileless', but we will ignore this point for the time
being. This stage I propose it be named "InfectWare".
If files are used, and remain on disk after the infection is complete, we can refer to this stage as;
- FileWare
To understand that files are involved at some point during the infection, even if they get deleted after the persistence. If the files were deleted after the initial infection, we can refer to this as:
- DeletedWare
Now
the persistence can have many names since there are so many ways to
persist on a Windows system. For example; A Simple run key where files
remain on disk is a typical malware infection, but we are seeing more
methods of persistence with the evolution of malware. So we need a new
way to refer to these infection methods. There are many forms that are
generically referred to as 'fileless malware', so let's give it a better, more descriptive name so we can better focus detection and response.
So let's consider these names to better describe 'fileless malware';
- RegWare - Malware that hides in the registry
- WMIWare - Malware that that hides in the WMI database
- PSWare - Malware that utilizes PoserShell
- BootWare - Malware that hides in a systems boot sector
- Etc...
Now
that we have some new terms we can now add clarification to malicious
attacks and add much needed context to the "Malware Attack Chain".
Let's add these new terms to the "Malware Archaeology Malware Attack Chain" and we get more
information to help us detect and respond and even understand more where
to look, and what for.
Now that we have more terms to describe what "fileless" is, fileless malware can be demystified, not as scary, and would be better able to detect and respond to this type of threat using the right tool(s) to hunt for the artifacts.
For example; LOG-MD-Professional can search the registry for large registry keys, PowerShell Logs, and also locked files which is a new tactic to block binaries from being inspected. LOG-MD also has an AutoRuns feature that can discover the majority of persistence locations. Other tools and scripts can focus at WMI persistence or other interesting bits. Now we at least can get direction at where to look for fileless malware and better improve our detection abilities.
We can also use this logic to evaluation Next Generation Anti-Virus to EndPoint Detection and Response (EDT/EDTR) tools.
Happy Hunting!
PodCast:
References:
#InfoSec #MalwareArchaeology #LOG-MD
