Skip to content

Fileless Attacks

New Reference

  • https://www.varonis.com/blog/understanding-malware-free-hacking-part/

Summarized References

  • https://blog.minerva-labs.com/deconstructing-fileless-attacks-into-4-underlying-techniques

https://blog.minerva-labs.com/hs-fs/hubfs/4%20techniques_1042x1042.jpg?width=600&name=4%20techniques_1042x1042.jpg

Malicious Documents

  • New Evasive Malware Technique exploits Microsoft Dynamic Exchange (DDE): https://blog.minerva-labs.com/prevented-by-minerva-labs-new-evasive-malware-technique-exploits-microsoft-dynamic-exchange
  • Dynamic Data Exchange (DDE) allows adversaries to deliver stealthy payloads via document files while avoiding the common usage of macro.
  • https://blogs.quickheal.com/emerging-trend-dde-based-office-malware-analysis-quick-heal-security-labs/
  • https://blog.barkly.com/locky-ransomware-using-microsoft-office-dde-exploit

Malicious Scripts

  • Targeting powershell.exe, cscript.exe, cmd.exe and mshta.exe
  • Windows Subsystem for Linux introduce more script support
  • Prevent Powershell detection: https://blog.minerva-labs.com/confronting-snake-oil-sales-tactics-in-endpoint-security
  • If the attacker places a malicious script under the path %USERPROFILE%\profile.ps1 and start PowerShell ISE, the script will be executed without powershell.exe being involved
  • Bypass execution policy: HKEY_CURRENT_USER\Software\MicrosoftPowerShell\1\ShellIds\Microsoft.PowerShell - And set the registry value ExecutionPolicy to Unrestricted.
  • Invoke-NoShell
    • 12 different evasive document permutations
  • Invoke-Obfuscation
  • Invoke-DOSfuscation
    • Emotet’s script obfuscation: https://blog.minerva-labs.com/the-emotet-grinch-is-back

Living off the Land

  • regsvr32.exe, rundll32.exe, certutil.exe and schtasks.exe.
  • Living Off The Land Binaries and Scripts: https://github.com/LOLBAS-Project/LOLBAS
  • Abusing WMI to Build a Persistent, Asynchronous, and Fileless Backdoor: https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
  • APT29’s use of WMI and PowerShell to plant fileless backdoors: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
  • Reference:
  • https://liberty-shell.com/sec/2018/10/20/living-off-the-land/

Malicious Code in Memory

  • Memory injection - VirtualAllocEx and WriteProcessMemory, which allow one process to write code into another process. Overview of the AZORult attack: https://blog.minerva-labs.com/analyzing-an-azorult-attack-evasion-in-a-cloak-of-multiple-layers
  • Wrap compiled executables into scripts that extract malicious payload into memory during runtime.
  • PowerSploit: https://github.com/PowerShellMafia/PowerSploit
    • GhostMiner analysis: https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless
  • Veil Framework: https://www.veil-framework.com/
  • Process Doppelgänging - attacker misuses NTFS transaction capabilities built into Microsoft Windows to temporarily modify a trusted file in memory without committing changes to disk
  • SynAck malware: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
  • CoffeeShot tool (inject shellcode from Java): https://blog.minerva-labs.com/coffeeshot-avoid-detection-with-memory-injection