Fileless malware is relatively rare, but it is a real thing. It gets its name by not leaving files on disk. Instead, it uses many interesting tricks to stay memory resident and execute commands that already exist on the machine. Often, it uses a tool like PowerShell to coordinate attacks and the use of a meterpreter payload that uses in-memory DLL injection stagers to set up additional attacks.
Known Fileless Malware Families
Two malware families discussed here were known to have used this technique:
Poweliks malware is thought to be the first to employ this technique using PowerShell. Discovered in 2014, Poweliks evolved from a file-based threat, known as Wowliks, to a registry-based version. This malware solely installs itself into the registry, leaving no files written on the disk. This in effect evades traditional antivirus (AV) solutions that require a file to inspect.
Installation includes checking whether Windows PowerShell is installed in the system and downloads it if needed (Figure 1). It then installs PowerShell silently so as not to raise suspicion (Figure 2).
Figure 1. Checking Windows Powershell Installation
Figure 2. Silent Install of Powershell
Poweliks Persistence Mechanism
Figure 4. Autorun Entry.
The second stage invokes PowerShell to decrypt a (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog