This presentation was created based on a sample we found. At first sight this looked to be a standard fileless cryptocurrency mining malware, however, when looking a bit further, we noted that this malware had some other tricks up its sleeve.
This presentation starts with an introduction into how fileless malware works and how to detect it, a short introduction into cryptocurrency mining and of course the analysis of the sample itself.
2. Tearing apart a fileless malware sample
About us
2
Michel Coene
DFIR and Threat hunting @ NVISO
SANS Instructor development program
@coenemichel
3. Tearing apart a fileless malware sample
What will we talk about today
3
Introduction
Fileless malware
Cryptocurrency mining malware
Tearing apart a sample!
4. Tearing apart a fileless malware sample
What will we talk about today
4
Introduction
Fileless malware
Cryptocurrency mining malware
Tearing apart a sample!
5. Tearing apart a fileless malware sample
The cyber kill chain
5
Reconnaissance Delivery Installation
Action on
Objectives
Weaponization Exploitation
Command &
Control
6. Tearing apart a fileless malware sample
What will we talk about today
6
Introduction
Fileless malware
Cryptocurrency mining malware
Tearing apart a sample!
7. Tearing apart a fileless malware sample
What is fileless malware
7
Fileless malware is malicious computer code that exclusively exists in
memory and does not write any part of its activity to disk
Persistent Non-persistent
9. Tearing apart a fileless malware sample
Combining best of both worlds
9
Installation
10. Tearing apart a fileless malware sample
How it works – deep dive
10
New process (exe) or existing process (DLL)
New process Existing process
Win32: CreateProcess Win32: LoadLibrary
AV
11. Tearing apart a fileless malware sample
How it works – deep dive
How does fileless malware work
• Inject code
11
Process
(ex. Explorer.exe)
Win32: CreateProcess
Custom loader
Malicious
code
12. Tearing apart a fileless malware sample
How it works – deep dive – Fileless code
12
• The code for fileless malware can take several forms:
• Shellcode
• VirtualAlloc
• WriteProcessMemory
• CreateThread/CreateRemoteThread
• DLL
• Custom loader
• Reflective loader
• …
• Advantage of coding a DLL
• Many powerful development tools (Visual Studio)
• Reusing code
13. Tearing apart a fileless malware sample
How it works – deep dive - PowerShell
13
• PowerShell is a very powerful programming language
• Win32 API
• .NET Framework
• ActiveX
• …
• Facilitates administration of Windows (legitimate application)
• So versatile and powerful that it is often used as loader and host for
fileless malware
• powershell –Command …
• Powershell –EncodedCommand …
14. Tearing apart a fileless malware sample
How it works – deep dive - PowerShell
14
Library .NET code
15. Tearing apart a fileless malware sample
How it works – deep dive - PowerShell
15
Encoded Command
Library .NET code
16. Tearing apart a fileless malware sample
How to detect?
16
No files you say?
21. Tearing apart a fileless malware sample
How to detect?
21
Hunt for suspicious registry run
keys and scheduled tasks
Behavior based detection
Look for known IOCs:
- C2 traffic
- Specific registry keys
- Specific scheduled tasks
Prevent known malicious items from
entering your environment
22. Tearing apart a fileless malware sample
What will we talk about today
22
Introduction
Fileless malware
Cryptocurrency mining malware
Tearing apart a sample!
23. Tearing apart a fileless malware sample
Cryptocurrency mining malware - What is it? What does it do?
23
Action on
Objectives
24. Tearing apart a fileless malware sample
In browser mining
24
Delivery
Source: blog.malwarebytes.com
25. Tearing apart a fileless malware sample
Evolution from ransomware to cryptocurrency mining malware
25
• Ransomware attacks are becoming
harder to execute
• Microsoft adding Controlled folder access feature to
Windows Defender Security for Windows 10 users
to prevent malicious (or unexpected) alteration of
important files.
• Everyone advises against paying
• Easily detected
• Countries and regions available that
cannot pay the ransom
• Cryptocurrency mining often flies
under the radar
Source: blog.fortinet.com
26. Tearing apart a fileless malware sample
Implications for companies
26
• Power
• Cost
• Might harm production environment
(CPU, stability, might kill processes, etc)
27. Tearing apart a fileless malware sample
What will we talk about today
27
Introduction
Fileless malware
Cryptocurrency mining malware
Tearing apart a sample!
28. Tearing apart a fileless malware sample
Detecting malware
• AV detection for files originally based on signatures (sequence
of bytes / heuristics)
• On disk, Windows has provided filters for the file system (intercept all
bytes accessed from disk)
• A similar mechanism does not exist for memory
• AV detection bypass
• Next option to detect fileless malware: observe behavior
• Is this program encrypting files? Strange, this could be ransomware …
• Is this program mining crypto currency? OK, this could be benign …
• Not all AVs have (advanced) behavior analysis engines
Process
AV
29. Tearing apart a fileless malware sample
Our sample
• How did we know there was malware about?
• No AV alerts
• Observed TCP connections to a Monero mining pool
• Observed a PowerShell process consuming a lot of CPU
• How did we sample the malware?
• Specialized task managers like Process Explorer can inspect
the command line of processes
• powershell -EncodedCommand QQBkAGQALQBUAHk…
• … and show the parent process
• task scheduler
• The BASE64-decoded PowerShell script accessed a value in the registry
• {95EF38A4-95F9-55C1-55302E9FD8427349}=AAAId0wBAAOWAAADKWBNWpAA…
• Create mem dump of process & carve executables
30. Tearing apart a fileless malware sample
The loader
Registry
32-bit/64-bit
BASE64
31. Tearing apart a fileless malware sample
The loader
Win32 API
Win32 API
32. Tearing apart a fileless malware sample
The “package”
Embedded PE
file
33. Tearing apart a fileless malware sample
The “package”
The “package” is
known to
VirusTotal, and
triggers AV
34. Tearing apart a fileless malware sample
The “package”
“Trojan injector cvt”
does not yield
valuable information
35. Tearing apart a fileless malware sample
The “package”
The carved DLL has
been analyzed
before, without
success
36. Tearing apart a fileless malware sample
Dynamic analysis
• No useful info online: We had to analyze the sample ourselves
• Create a .ps1 file combining the loader and the “package”
• Focus dynamic analysis
• Submit it to sandboxes
• Run it on physical machine
37. Tearing apart a fileless malware sample
Mining activity
• Tearing apart a sample
39. Tearing apart a fileless malware sample
Mining activity
Time in UTC
40. Tearing apart a fileless malware sample
Mining activity
• Tearing apart a sample
41. Tearing apart a fileless malware sample
Worm activity
Scanning port 445?
An EternalBlue worm?
42. Tearing apart a fileless malware sample
Worm activity
EternalBlue/Shellcode
Gitlab
“Package”
1) Persistence on Windows XP: file based
2) Persistence on > Windows XP: fileless
SMB1 = 0
Immunize!
43. Tearing apart a fileless malware sample
Worm activity
Active since
August 2017
A history of
versions
44. Tearing apart a fileless malware sample
Info stealing activity
Why is it accessing
these files?
Why is it
connecting
to Tor?
45. Tearing apart a fileless malware sample
Info stealing activity
FileZilla
storing
credentials
46. Tearing apart a fileless malware sample
Info stealing activity
FileZilla
credentials file
read into
memory
FileZilla credentials
decoded
47. Tearing apart a fileless malware sample
Concluding
51
Miner Worm
Info stealer