New fileless malware spotted in the wild

News by Rene Millman

Threat runs entirely in memory to evade detection

Researchers have unearthed a new type of fileless malware that runs entirely in memory and can infect other computers within a network.

Dubbed ‘Phasebot', the malware has been circulating among cyber-criminals and been available in online marketplaces that sell malware and other malicious tools.

"Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in target computer's hard drive," Trend Micro threat response engineer Michael Marcos said in a blog post.

Marcos said that Phasebot appears to be a direct successor to Solarbot, but comes with additional features such as virtual machine (VM) detection and an external module loader. The latter feature gives the malware the capability to add and remove functionalities on the infected computer.

The fileless malware relies more on stealth and evasion mechanisms and encrypts its communications to its C&C server by using random passwords each time it connects to the server.

Phasebot also checks a system to see if .NET Framework Version 3.5 and Windows PowerShell are installed on an infected system. This suggests that flaws in these programs could be used to help the malware. Both of these programs are integrated into current versions of Windows. After verifying that the affected system have these programs, Phasebot creates the following registry key where the encrypted shell code will be written

“Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs,” said Marcos.

He said that the new malware is interesting as it uses Windows PowerShell, a legitimate, built-in Windows system administration tool, to evade detection from security software. “It uses PowerShell to run its components that are hidden in the Windows registry,” he added.

Marcos said that it was now highly likely that malware developers would adopt and adapt the fileless concept.

“It's highly possible that they will not limit themselves to simply using the Windows registry to hide their malware. They will also use other, sophisticated techniques to run malicious routines without having to drop a file into the affected system,” said Marcos.

“The emergence of fileless malware can be a serious threat to users who are not familiar with this type of infection. Users are often advised to look for suspicious files or folders, but not in places like the Windows registry, which is used for fileless infection,” he added.

David Flower, EMEA managing director of security firm Bit9 + Carbon Black, told via email that it is safe to assume that most businesses have already been breached by this form of malware.

“In these instances, it is vital to be able to limit damage by detecting attackers while in the early stages, while also being able to track the kill-chain of any successful breach back to its original point of entry,” he said.

Roy Tobin, threat researcher at Webroot, said that there was a “big spurt” of fileless malware at the start of this year but it has died down greatly over the last two months.

“This family of infections is quite innovative in its approach and did catch a number of people off guard. After the initial spike we saw in this type of malware, AV vendors were quick to adjust which has resulted in the numbers of infected PCs dropping,” he said.

He added that the usual preventative measures with malware still apply here.

“POWELIKS and Phase cause computers to run extremely slowly and therefore very easy to spot. They also use a legitimate Windows process in an attempt to hide from the user. If they do get on a PC, depending on the version, they can pull down other infections like a ransomware too. Any PC that is identified with this malware must be isolated from the network just in case of secondary infections,” he said.

Tobin said the new type of infection was not the end for file-based detection.

“In many case of POWELIKS there was an initial file dropper that created the registry entry and thus weren't technically fileless. Even after the infection has created the registry entry many variants will pull down other infections which would be classic file-based malware. In these cases you would still need to block/detect these. Another point is that if you block the server's that these fileless malware's connect to then they cannot pull down other infections,” he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews