Threat Spotlight: The Truth About Fileless Malware


Fileless malware is relatively rare, but it is a real thing. It gets its name by not leaving files on disk. Instead, it uses many interesting tricks to stay memory resident and execute commands that already exist on the machine. Often, it uses a tool like PowerShell to coordinate attacks and the use of a meterpreter payload that uses in-memory DLL injection stagers to set up additional attacks.

Known Fileless Malware Families

Two malware families discussed here were known to have used this technique:

Poweliks Malware

Poweliks malware is thought to be the first to employ this technique using PowerShell. Discovered in 2014, Poweliks evolved from a file-based threat, known as Wowliks, to a registry-based version. This malware solely installs itself into the registry, leaving no files written on the disk. This in effect evades traditional antivirus (AV) solutions that require a file to inspect.

Installation includes checking whether Windows PowerShell is installed in the system and downloads it if needed (Figure 1). It then installs PowerShell silently so as not to raise suspicion (Figure 2).

Figure 1. Checking Windows Powershell Installation

Figure 2. Silent Install of Powershell

Poweliks Persistence Mechanism

Poweliks malware writes two entries under the registry Run key. First is a JavaScript encoded data written under (Default) value (Figure 3), while the second is the Autorun entry that reads and decodes the encoded JavaScript data:

Figure 3. Encoded JavaScript Data.

The autorun entry executes rundll32.exe to load mshtml.dll, a legitimate Windows file, and calls RunHTMLApplication (Figure 4). The invoked function interprets the in-lined JavaScript code in the registry key. That code decrypts the encoded data (Figure 5) that becomes the second stage JavaScript code:

Figure 4. Autorun Entry.

Figure 5. 1st Stage Decoded JavaScript Code

The second stage invokes PowerShell to decrypt a (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Threat Guidance Team. Read the original post at: