Fileless malware is relatively rare, but it is a real thing. It gets its name by not leaving files on disk. Instead, it uses many interesting tricks to stay memory resident and execute commands that already exist on the machine. Often, it uses a tool like PowerShell to coordinate attacks and the use of a meterpreter payload that uses in-memory DLL injection stagers to set up additional attacks.
Two malware families discussed here were known to have used this technique:
Poweliks malware is thought to be the first to employ this technique using PowerShell. Discovered in 2014, Poweliks evolved from a file-based threat, known as Wowliks, to a registry-based version. This malware solely installs itself into the registry, leaving no files written on the disk. This in effect evades traditional antivirus (AV) solutions that require a file to inspect.
Installation includes checking whether Windows PowerShell is installed in the system and downloads it if needed (Figure 1). It then installs PowerShell silently so as not to raise suspicion (Figure 2).
Figure 1. Checking Windows Powershell Installation
Figure 2. Silent Install of Powershell
Figure 4. Autorun Entry.
The second stage invokes PowerShell to decrypt a DLL and injects it into a process to stay memory-resident, leaving no file written on the disk (Figure 6).
Kovter is another malware that was seen to use a similar technique starting in May 2015, with few improvements.
Recently, Kaspersky reported an incident where 140 enterprises worldwide - including those in the banking sector - were hit by fileless malware. It wasn’t mentioned how the malware gets into the system, but the researchers were able to find Meterpreter code in the memory.
Malicious code was also found in the registry that runs PowerShell script to allocate memory, resolves API and downloads Meterpreter utility directly into the memory. It also used tunneling to enable the attacker to control the compromised computer remotely, achieved with the use of Windows standard utilities netsh and sc.
This type of attack does not leave any files on the disk, as they were all injected straight into the memory. The approach taken by Kovter, Poweliks and the one described by Kaspersky can be generalized into an attack chain (Figure 7):
Figure 7. Fileless Malware Attack Chain
Fileless malware will continue to evolve and is here to stay. It will only get more prevalent with the availability of open source tools. As a result, security solutions are now required to go beyond file detection and deploy a more robust layered protective solution that will counter and mitigate all types of attacks.