Fileless Malware and the Threat of Convenience

Many of the conveniences brought via modern tools, operating systems, and applications also bring means for an adversary to execute actions while under the guise of a valid service. This is seen distinctly in the increased use of Fileless Malware.

Fileless Malware can be broadly defined as execution of malicious instructions in memory with no requirement for these instructions to be backed by a file on disk. One way to understand this is through the following example:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');

The above:

  1. utilizes the legitimate Windows utility rundll32.exe,
  2. loads the DLL mshtml.dll, calls “RunHTMLApplication” entrypoint,
  3. executes the Javascript command, and
  4. ultimately creates a popup containing the word foo.

A Blue Team defender can use Process Monitor to witness all of the above simply searching for rundll32.

But what makes the previous command an example of fileless execution?

If the attacker’s goal is to get an endpoint to preset a popup with the word “foo” in it in the traditional malware model the attacker would have to create an executable, trick the user into downloading and running it, noting that there is now a specific file left as an artifact that can be quarantined and dissected by an endpoint protection software.

Alternatively, in the Fileless Malware model, the attacker will not mint a single binary to be placed and run on an endpoint. Instead they simply need to use any means available to get instructions executed. For example, an attacker could make a specifically crafted website that uses weaknesses in a browser to download malicious instructions into the browser’s executable memory and run the instructions, thereby firing commands on an endpoint without a single file artifact being downloaded to disk.

Fileless Malware commonly uses the Windows tools Powershell and WMI to execute commands or download and run arbitrary code. The issue is that both of these utilities are frequently used and provide systems administrators and network defenders extremely powerful capabilities and automation, and likely cannot be shutdown without sufficient care or consideration. This is also true for features in widely deployed applications such as macros in Microsoft Office applications.

SCYTHE supports emulation of Fileless Malware. SCYTHE provides multiple types of clients: one type is designed specifically to be copied into executable memory and run aka fileless. Red Teams can use their own orchestration to load these SCYTHE clients as an example.

For convenience, we include:

  • reflective loading instructions for this type of client are provided
  • direct download links to save into memory, mark the memory executable, and start the client on the host.

So what can Defenders do?

The following are a few actions a defender can take to help mitigate some Fileless Malware threats:

1. Patch

One of the key components of a Fileless attack is the ability for an attacker to leverage known vulnerabilities in already-installed applications, allowing them to execute commands as that application’s user. Patching software and operating systems helps close these doors to attackers.

2. Disable commonly attacked conveniences

Disabling macros or other runtime execution frameworks can help reduce the attack surface of your endpoints. If we recall back to the not-so-far-away days of browser connections to Flash, Java, or ActiveX, it is easy to remember how much these “convenience” programs were vulnerable. Generally, the issue stems from powerful applications being able to run programs from unknown sources on the internet. Although browsers and other web-runtimes are a common vector, attackers also depend on the exploitation of widely deployed applications which are used to open files from the internet, namely MS Office and PDF readers. When these tools have the ability to run powerful tools via automation, adversaries can leverage the simple spoofing of an email to have their code be run on a remote endpoint.

3. Monitor for behavior, not just known signatures

Standard endpoint protection software products focus on known files, hashes, and signatures found by the threat intelligence community. Although this protection is valuable, it leaves out a critical component of testing for defenses and defenders: whether defenders actually notice malicious, non-signitured behaviors. Defenders should be able to test the efficacy of their systems by leveraging tools which give them the ability to mint adversarial campaigns using the same techniques used by actual adversaries.