In memory fileless malwar edetection ..... any antimalware software?

No, I am using WIN 7. And yes, $ADMIN disabled by default. But I take no chances .....................

 

Since this topic started with a ref. to Powelike and I finally found my McAfee Endpoint ref., here's how you can prevent using a HIPS.

Create a rule to ask/block (I always create ask rules for stuff like this) to monitor create and write registry key activity for System32 and SysWow64/dllhost.exe against the following registry keys:

HKEY_CLASSES_ROOT\CLSID\*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Classes\CLSID\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
​

-EDIT- Forgot the stinking 32 bit keys. If you have x64, add these:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\*
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
​

Ref.: https://kc.mcafee.com/resources/sit...Afee_Labs_Threat_Advisory-Trojan-Powelike.pdf

I have the equivalent rule for my Eset HIPS.

​

 

First three registry keys should be covered by UAC set on max, shouldn't they? For last one, registry key permissions should be changed to prevent modification from apps with non-admin privileges. That's if you don't want to use HIPS or registry monitor.

 

It is using Powershell to perform the initial infection. UAC won't stop Powershell.

Again, monitoring Powershell startup with a HIPS will also prevent an infection.

 

None of these stops fileless malware. If you are ready to test, I can send you the fiddlers.

 

Can't I just force Powershell to be Sandboxed with Sandboxie? I have it Sandboxed with rights dropped.

 

Hi aigle,

I know you are interested in detection in this thread, but I wonder if you (or others) have come across any new delivery methods other than those already reported:

I would think that most Wilders members would not be vulnerable to the triggering of the exploit on the compromised web site.

The persistence trick:

Note that a system with a reboot-to-restore program would clean this up on reboot (at least Deep Freeze would).

----
rich

 

None. And my sole knowledge is based upon Kafeine's blog.

 

So it is using some kind of UAC-bypass to elevate privileges?

 

Why don't you just post some examples(test results preferably) of the fileless malware you're referring to.

 

According to this: https://www.wilderssecurity.com/threads/windows-7-applocker-can-be-bypassed.321479/ Powershell can bypass both Applocker and SRP policy restrictions. Also you can run Powershell in a sandbox but doing so might break some legit system uses of it.

 

https://www.wilderssecurity.com/threads/fileless-malware-detection.370944/
https://www.wilderssecurity.com/threads/very-interesting-fileless-malware-testing.371622/

 

Well that article is about bypassing Applocker and possibly SRP but not about bypassing UAC. Those registry keys should be protected by UAC and modifying them them should bring UAC prompt. I was more interesting if specific malware which you've mentioned if it is using some kind of UAC bypass.

 

"We have been monitoring a campaign targeting the USA at least since July 2015 that’s using the well-known poweliks file-less malware to evade antivirus detections. The malware is a possible evolution of poweliks created with the purpose of keeping a low profile: as opposed to previous strains, this one doesn’t seem to take advantage of exploits or UAC bypasses techniques but its effectiveness remains equally high and the detection rate is extremely low. Behavioral analysis proves to be extremely effective against this type of threat, keeping the endpoints protected in the timeframe required by the AV companies to correctly identify it."

Only top 5 on VirusTotal detected it. Only part of article posted here.

 

Would MBAE protect against this?

 

Will protect if it came through an exploit, I guess.

 

Peter, ERP will not stop it I guess.

 

Yes, Angler EK.

First, it is an exploit. So the best protection is to make sure your OS and Internet facing apps are always update with the latest patches. Then, the simplest way for most folks is just use one of the anti-exploit products out there if your AV solution does not have exploit protection.

Fileless malware is not a recent phenomena. It has been around since 2008 or earlier when the reflective dll injection technique was developed. Also fileless is somewhat of a misnomer. All malware has a payload it downloads. It uses that payload to inject from its memory into another process's memory.

Now lets look at Angler specifically. This Sophos article on it is a good read: https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/ . As noted in this article and excluding the web site hijacks and redirects, what starts off the whole process is a javascript execution by wscript.exe. So if you following Webroot's advice that was noted in a prior posting and disable wscript.exe, the malware is foiled at that point. I prefer to use HIPS rules to monitor wscript.exe; at least for the present time.

Next, from the top link you posted is a comment by Malwarebytes:

David Sanchez (Malwarebytes) figured out that the payload is hooking the kernel32!Exit!Process. explaining why Iexplore was still loaded when browser was closed.
​

So HIPS rules to prevent hooking and event interception in the browser will prevent that. And finally, a good HIPS with a rule to detect browser process modification will stop any memory injection attempts.

Since I use Eset, my HIPS rules are just fallback protection against anything it's memory and exploit protection doesn't catch. Most of that protection is scanning at the network level. So there is always the chance something can slip past it; especially since Angler is now sandbox aware.

 

Hey, let me say it again. Eset or any other HIPS will not detect these injections. I tried it personally. If you can show me an interception, only then I can believe.

I am not an expert but there is something special about these in memory injections. They are not intercepted by classical HIPS unless somebody specially makes a HIPS that has the capability to intercept these. To my knowledge, there is none so far.

 

New Powerliks
"doesn’t seem to take advantage of exploits or UAC bypasses techniques but its effectiveness remains equally high and the detection rate is extremely low"

I have asked mods permission to post link of how it was analyzed but they have not contacted me as of yet.

 

Well, it worked for me. Did you create specific ESET HIPS rules for you browser? In this link: https://www.wilderssecurity.com/threads/mrg-effitas-online-banking-browser-security-q2-2015.378862/ I posted a reference when you can download the payload and reflective dll you can use for testing. OK, I just ran the payload again to inject my browser with the reflective .dll and below is the screenshot:

 

Dear this dll injection is intercepted by all HIPS but fileless malware injection is NOT. Don't mix the two.

 

Poweliks is "fileless" malware since it runs all it's code from the registry. It does not do any memory injection by itself. If it's coupled with an exploit, then it can inject memory of course.

-EDIT- If your infected with Poweliks, there is no way to prevent it from running. If you delete its registry keys, it will just recreate them. It stores an encrypted registry key to do this. Only way to remove it with one of the AV cleaners for it.

Broadly speaking for those who haven't read the posted links on it, Powerliks creates registry keys to start rundll32.exe and run a java or Powershell script.

Again you want to prevent its installation by monitoring the registry keys it uses to install itself.

 

I give up ......................