Fileless malware: Invisible threat or scaremongering hype?

Discussion in 'malware problems & news' started by Minimalist, Nov 17, 2017.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    https://blog.emsisoft.com/2017/11/17/fileless-malware-attacks/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Emsisoft "dropped the ball" on the PowerShell recommendation. That will only disable PowerShell 2.0. Only applicable if your using Win 7 and haven't downloaded a latter ver. of Powershell. Win 7 is the only Win ver. that uses PowerShell 2.0 as the "internal" ver. of Powershell. Also, PowerShell 2.0 is disabled by default in Win 10 CEF.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I agree with the fact that "file-less" attacks are a sneaky and serious threat, but far from unstoppable. And I don't expect to see them being used in attacks on home-users. Most malware like banking trojans, ransomware and keyloggers will remain file-based.
     
  4. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Fileless malware attack sources can be webpages that means it will be used on potentially anyone whose system is vulnerable to it
     
  5. guest

    guest Guest

    but most exploits uses v2.0 because it is so permeable that not using it would be a crime :p
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, it is the reverse.

    When malware runs a Powershell script, it uses the internal ver. of Powershell installed. The only exception is when my malware specially codes that Powershell 2.0 is used. This method is not the norm. Additionally, if malware uses a .bat script for example that is coded as, powershell.exe -nop etc., it will use the internal version of Powershell.

    Actually, malware will download Powershell 2.0 to some directory and run it there if the attacker decides to use it and it is not installed.

    If you totally want to stop Powershell 2.0 use, uninstall .Net 2.0 since it is required to run PowerShell 2.0. Folks that use VoodooShield can't do that since it uses .Net 2.0:rolleyes:
     
  7. plat1098

    plat1098 Guest

    What makes this a little better is that Powershell 2.0 is out in the Fall Creators Build, having been replaced w/PS 5.0. So those of us on the latest Windows 10 bought ourselves some time there, right?

    Edit: oops, I see you'd already stated that, apologies @itman. :blink:
     
    Last edited by a moderator: Nov 19, 2017
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yes and no.

    By default, .Net 2.0 and 3.5 are not installed in Win 10 CE and CEF. However and most important if an app requires either of the previous noted .Net versions, Windows will automatically install the .Net version required.o_O So if you install something like Voodoshield, .Net 2.0 will be auto installed. As noted previously with .Net 2.0 installed, malware can download Powershell 2.0 and run it.
     
  9. guest

    guest Guest

    And we just talk about one interpreter (powershell), fileless malware can be set to use others...
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  11. guest

    guest Guest

    yes , MimiKatz is way too famous, and considered an high class credential stealer with various powerful capabilities, its author is a French researcher who was "forced" to release publicly the code after he caught a Russian spy breaking in his hotel room, trying to bypass his laptop login password, before a conference where the researcher was supposed to present Mimikatz...
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Fileless Malware on the Rise, Becoming Top Endpoint Threat
    https://www.infosecurity-magazine.com/news/fileless-malware-on-the-rise/
     
  13. guest

    guest Guest

    i'm not surprised at all, filesless malware aren't new, they became just more popular.
     
  14. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    Fileless Malware: Attack Trend Exposed
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks, interesting stuff. Will do some reading, it seems to be one of the most clear and easy to understand articles about this subject.
     
  16. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Fileless Malware Demystified

    Code:
    https://youtu.be/atL1WmmMJJw
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Fileless Malware: Not Just a Threat, but a Super-Threat
    https://www.darkreading.com/vulnera...r&hootPostID=c8f1bad90e4194e568d18314f92096bf
     
  18. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    I stopped reading here :thumbd::

    The scaremongering hype is so real ...
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    It's a hypy name - fileless. For that matter, you can load any which script into memory and then delete the object on the disk.
    Mrk
     
  20. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    To qualify as fileless malware or its proper name, Advanced Volatile Threat (AVT) it does not need to access the hardrive at all.
    So it might be scripts executed from macros in documents on a portable media that then resides in memory and perhaps would infect other portable media or whatever
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Fileless malware also includes anything running from the registry, WMI, etc.. Servers are currently getting hammered by brute force RDP attacks. The attackers preferred method of establishing persistence once they have gained system access is to create a WMI consumer event that runs Powershell that employs .Net assemblies to establish communication to their remote C&C servers. A recent TechNet posting I was reading noted that the poster was bewildered by the fact Powershell was being used this way since he had set up GPO to block it. Well as it turns out, the attackers when they create the persistent WMI consumer event are using cmd.exe to start Powershell thereby bypassing any GPO restrictions on it.
     
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    RockLobster, it does not matter how it's loaded into memory. It's still written code = file.
    Whether you load it remotely over the network (rdma) or locally does not really make a difference.
    Mrk
     
  23. guest

    guest Guest

    Exactly. the code doesn't appear magically in the system, it needs a vector which can be monitored.
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    That's true but I don't know of any AV that would be constantly scanning memory for malware. Usually you can set it up to scan it during on demand scan, but scanning it all the time would probably make computing really slow.
     
  25. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    The term fileless is not used in the context of this type of malware to imply the code was never created as a file, it means, it doesn't reside on the victims computer, as a file.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.