Network traffic analysis for IR: Analyzing fileless malware

Introduction to fileless malware

Fileless malware is malware authors’ response to traditional malware identification and analysis techniques. Many antiviruses operate by using signature-based analysis to identify malicious files on a computer. By ensuring that a malicious file is never saved on the filesystem, malware authors can make their attacks much more difficult to detect and remediate using traditional analysis techniques.

Malware authors can avoid writing their malicious code to the filesystem in a variety of different ways. Some malware “lives off the land” by using functionality built into legitimate Windows programs. Tools such as PowerShell on Windows have a great deal of power and the functionality desired by hackers. The ability to execute PowerShell commands on a computer is as good as, if not better than, dropping and running a malicious executable on the machine.

DevOps Connect:DevSecOps @ RSAC 2022

Other options include the use of DLL injection and similar techniques that insert malicious code into a legitimate process. Reflective DLL injection can accomplish this without saving a file to the filesystem, making the malware harder to analyze.

Regardless of the method used to make malware fileless, the important information about the attack is stored in network logs. Many fileless malware infections are implemented as multi-stage malware, where a Trojan (like a malicious Word document) is used to infiltrate the system and later downloads the malicious code to be injected into a running process. The ability to extract this downloaded malware from packet captures can be invaluable for incident response.

Extracting files from packet captures

The ability to examine malicious code is often a critical step in digital forensics and incident response. Being able to examine the code and configuration information of a malware sample can help to determine the intended functionality of the malware or determine how to interpret command-and-control traffic in order to (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: