BREAKING NEWS!

You feel safe, knowing that you anti-malware is standing guard and will stop any suspicious intrusion. Well, malware authors have gone one up on security file scanners by utilizing new methods of avoiding detection.

These cyber crooks are doing this by using fileless malware.  Fileless malware will hide itself in locations that are difficult to scan or detect. The malware is written directly to RAM of the target computer’s hard drive. One fileless malware that appeared in August 2014 is Powerliks, which is able to hide itself in the registry. Powerlicks evasion techniques and the use of Windows PowerShell (see Definiton) were regarded as a potentially dangerous tool for future attacks. This tactic has led other malware authors to ‘follow the trend’ so to speak and has resulted in Phasebot, another fileless malware. Phasebot contains both rootkit (see Definition) and fileless execution capabilities.

Phasebot has features like virtual machine (VM) detection and external module loader. With the external loader module, the malware can add and remove functionalities on the infected computer.  It is also able to encrypt its communication with the command and control (C & C) server using random passwords each time it communicates with the server.

The malware will check if the .NET Framework version 3.5 and Windows Powershell are installed in the affected system. If they are, Phasebot will create the following registry key where the encrypted code will be written:

HKEY_CURRENT_USERSoftwareMicrosoftActive SetupInstalled Components{Bot GUID}

If the programs are not found in the system, Phasebot drops a copy of itself in the folder %userStartup%. It will then enable a rootkit to hide the file from an end-user, and hide the malware process.

A bot administrator will then instruct Phasebot to perform actions such as steal information, distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs.

By all accounts, fileless malware looks like the future of malware trend. The malware authors may look beyond Windows registry to hide the malware. In all likelihood, they will use other sophisticated technique to run malicious routines without having to drop a file in the affected system.

Fileless malware may be the bane of security vendors who rely on file-based detection. It also poses a serious threat to users who are not familiar with this type of infection. Users are often advised to look for suspicious files or folders, but not in Windows registry which is utilized by fileless malware.

Fileless malware are not only hard to detect, but are difficult to remove due to its location, as this is not your typical malware infection.

Recommendation

1. Users have to keep themselves updated of new technologies adapted by malware authors to evade detection and to victimize users.
2. Users have to adopt best practices such as being cautious when dealing with emails, web links or files. Users may check if websites are safe here, https://www.virustotal.com
3. Endpoint solutions should include behavior monitoring to detect this type of malware.

Definition

1. Windows PowerShell (found in Windows 7 and above) – a legitimate Windows system administration tool. It’s a task automation and configuration management framework from Microsoft and is built-in.
2. Rootkit – a stealthy type of malicious software that is hides the existence of certain processes or programs without being detected.

Source

1. Trend Micro
2. Bitcoinist.net (1^st image, pg 1)
3. Micro Visions Incorporated (2^nd image, pg 2)