Articles & Presentations

Monday, May 1, 2017

Fileless Malware? Not so fast, let's consider new terms


There is a lot of discussion lately about 'fileless malware', also referred to as 'living off the land', 'memory only', or 'non-malware attacks' .  I do not necessarily agree with this simplistic classification and feel we need to expand what we are calling these attacks to better understand the attack, and thus better detect and defend against them.
Cylance recently put out an article that listed a 'fileless malware attack chain', below is their "Malware Attack Chain" from the article:

Being a defender that spends most of the time performing detection and response duties, I would like to suggest some new concepts to better separate what malware today is doing versus generically calling it 'fileless' which is misleading and does not help us understand the method of the attack, which would also help us detect and defend against them, which is the ultimate goal.

I would like to introduce a new "Malware Archaeology Malware Attack Chain" to incorporate the new proposed concepts.  Let's start with the word malware, which is meant to stand for 'malicious software'.  Let's take this term and modernize it to reflect the evolution of today's malware by aligning it to the ways we would detect and defend against what the malwarians are doing within the attack, whatever type of malware used, which includes the fileless component.

So what do the vendors mean when they say 'fileless malware'?  Well, I think this may vary by vendor and researcher, but generally it is meant to indicate that once a system is fully infected, there are no files remaining on disk that can be found while the system is running and the malware is active.

We should consider that there is more to an infection than the final infected state, because there is!  The stages or ways the system is infected and persists should be the focus to better detect and respond, and perform more focused Incident Response.

Let's take a typical malware infection and walk through the steps or stages of the infection.  We will use a an attack that was received via email, like the above Cylance article used.
  1. Email received and opened
  2. User double clicks an attachment or downloads a file via a URL in the email
  3. The system gets infected executing all the needed steps by downloading any needed files
  4. Executing the malware components
  5. Adding, changing or deleting files
  6. Creating some form of persistence on the system
  7. Running Malware behavior
  8. Re-Infection after a reboot
  9. Re-Infection behavior
  10. Network behavior


Now let's give names to some of these steps so we can define what they are and how they can vary to include a "fileless" type of malware infection.

How about the delivery method, in this case Email.  How about to better know the method of attack delivery something more descriptive like;

  • EmailWare
  • URLWare, or WebWare

Once the download has begun there are many things that happen, starting with the way the infection is delivered, downloaded and initially executed.  How about we call this stage;


  • InfectWare

This would include how the system initially gets infected including the noise made that properly configured logs would capture.  Whether it used built-in utilities, initial executions of binaries, file and registry changes, and everything that can be detected during the initial infection, the logs could capture it.  This can include, as some fileless malware reports mention, the dropping, execution and deletion of files.  Which to me negates the generic term calling it 'fileless', but we will ignore this point for the time being.  This stage I propose it be named "InfectWare".

If files are used, and remain on disk after the infection is complete, we can refer to this stage as;


  • FileWare 

To understand that files are involved at some point during the infection, even if they get deleted after the persistence.  If the files were deleted after the initial infection, we can refer to this as:

  • DeletedWare
Now the persistence can have many names since there are so many ways to persist on a Windows system.  For example; A Simple run key where files remain on disk is a typical malware infection, but we are seeing more methods of persistence with the evolution of malware.  So we need a new way to refer to these infection methods.  There are many forms that are generically referred to as 'fileless malware', so let's give it a better, more descriptive name so we can better focus detection and response.  So let's consider these names to better describe 'fileless malware';

  • RegWare - Malware that hides in the registry
  • WMIWare - Malware that that hides in the WMI database 
  • PSWare - Malware that utilizes PoserShell
  • BootWare - Malware that hides in a systems boot sector
  • Etc...


Now that we have some new terms we can now add clarification to malicious attacks and add much needed context to the "Malware Attack Chain".  Let's add these new terms to the "Malware Archaeology Malware Attack Chain" and we get more information to help us detect and respond and even understand more where to look, and what for.


Now that we have more terms to describe what "fileless" is, fileless malware can be demystified, not as scary, and would be better able to detect and respond to this type of threat using the right tool(s) to hunt for the artifacts.

For example;  LOG-MD-Professional can search the registry for large registry keys, PowerShell Logs, and also locked files which is a new tactic to block binaries from being inspected.  LOG-MD also has an AutoRuns feature that can discover the majority of persistence locations.  Other tools and scripts can focus at WMI persistence or other interesting bits.  Now we at least can get direction at where to look for fileless malware and better improve our detection abilities.

We can also use this logic to evaluation Next Generation Anti-Virus to EndPoint Detection and Response (EDT/EDTR) tools.

Happy Hunting!

PodCast:

References:


#InfoSec #MalwareArchaeology #LOG-MD