The rise of fileless malware presents forensic investigators with a major stumbling block. Fileless malware is a variant of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, except within memory, and yet only to the trained eye.
This malware depends on tools that are part of an employee’s daily workflow. It is stealthy and uses legitimate tools, making thus making it incredibly difficult to blocklist the tools used in a fileless attack. These tools are trusted and frequently used. Fileless malware has been effective to evade all but the most sophisticated security solutions.
An IT manager of a global company in Asia identified anti-virus alerts triggered on several computers and servers. It was assumed that the threat was contained. Days later, the network experienced unusual activity and CPU usage hit 100% on several machines, indicating that several machines on the network were unresponsive.
Internal checks conducted identified no threats but isolating machines from the network indicated that no external connections could be made. Anti-virus scans conducted by several tools implied the absence of malware on any of the devices. Yet when the client briefly connected to the internet, further suspicious activity was noticed again.
A scheduled process of tasks was subjected to process hollowing, and the malicious executable escaped from that location. When the power was shut down, all traces of the malware were lost until the persistence mechanism functioned and infected the device again.
Pragma was instructed to assist the client and investigate the matter. Within hours, our specialist incident responders attended the site to conduct analysis, obtain memory dumps of live machines, and acquire disk images of affected machines. The fact that the devices remained on power but were isolated from the network, allowed Pragma to maximise the evidence available and investigate the activity through complex memory forensic techniques.
The detailed memory forensic analysis techniques utilised identified several suspicious processes running on the machine. Further investigation identified that the victim company’s devices had been infected with fileless malware, which left no trace on the machines’ hard drive and was unrecognised by the well-respected anti-virus tool used to protect the network.
Extracting the executable process from memory, it was identified that the victim had been infected with cryptocurrency miner malware. This meant that the victim’s computers were being used to carry out complex calculations and verify cryptocurrency transactions leaving several devices unresponsive. This process uses a significant amount of power and causes disruption and a substantial increase in costs to the client.
The threat actor used substantial anti-forensic techniques to conceal their activity, but it was identified that lateral movement was achieved through exploiting the eternal blue vulnerability in various windows machines.
It was identified that the threat actor had accessed the network and placed a hidden method of persistence, which caused each infected machine to run a base64 encoded PowerShell script that resulted in communicating with malicious command and control servers. This further resulted in remotely executing PowerShell scripts to rerun the crypto miner malware on the affected devices.
Fileless malware can remain largely undetected because it is memory-based and not file-based. The situation varies depending upon the anti-virus you use, but often you can be vulnerable to similar attacks, and full scans of your device will show no indication of infection because they scan for malicious files only.
Often fileless attacks use social engineering to get users to click on a link or attachment in a phishing email. Organisations need to maintain a clear line of communication and ownership to protect the business environment. Therefore, it is important to educate your workforce. This includes educating employees about Phishing, Social Engineering, and strict controls on the quarantining of suspicious email attachments, etc.
Although it is not always possible to stay safe from such threats in a business environment, there are ways to limit the success of fileless malware:
Have you noticed any unusual computer activity? Are you experiencing a suspicious spike in internet traffic? Have you observed unusual messages pop up unexpectedly? These are just a few signs to watch out for. But if you answered any of the above questions with a Yes, you need to reach out to an expert.
Pragma is a cybersecurity consultancy with global headquarters in Singapore, Australia, Vietnam and the UK. Our strong partnerships and investment in an experienced team are demonstrated in these four solutions; Cyber and Regulatory Consultancy, Incident Response, Cloud Security and Security Testing.