Fileless Fever: An in-depth Breakdown of Attacks from Poweliks to PowerGhost

Kaarthik RM, K7 Computing

Fileless malware employ techniques to maintain their state of infection without dropping any of their core malicious components on disk. This is because the fewer the number of files created on disk, the greater the chances of evading file-based Anti-Virus detection. It might even seem that Anti-Virus scanners are chasing an almost invisible mouse, or perhaps mice, since Fileless malware has been on the rise for some time.

Fileless fever was kick-started back in 2014 by Poweliks, a malware family which managed to hide the code required for persistence and infection as an encoded JavaScript stored within a value data entry in the Windows registry. Poweliks initiated itself by executing rundll32.exe which in turn invoked mshtml.dll which renders the malicious script using the API RunHTMLApplication. Since then, however, fileless malware have morphed greatly with the recent trend in attacks exhibiting the fashion of multiple stages for infiltration, reconnaissance, lateral movement, gathering data and exfiltration.

Fileless malware frequently employ the ‘living off the land’ approach, wherein the tools used in the attack chain are typically available by default on a victim’s device. These tools are obviously entirely legitimate, the most abused ones being those related to Windows management frameworks like Powershell and Windows Management Instrumentation (WMI). Recent Fileless attacks also employ one or more offensive red-team tools to their advantage. For example PowerGhost, CactusTorch, and Rozena, etc. all leverage offensive tools in at least one stage of their attack chains. PowerGhost primarily uses an obfuscated Powershell script for illegal mining. It, however, exploits the EternalBlue vulnerability for lateral movement and the Mimikatz tool to scrape for passwords from memory. CactusTorch converts a .NET assembly to a base64-encoded JavaScript via the DotNetToJScript tool which is subsequently converted into shellcode and injected into a spawned legitimate 32-bit process. Rozena too relies heavily on Powershell, using several obfuscation tricks (visual obfuscation, custom encoding and base64) to hide the code that finally injects a shellcode within the Powershell.exe process. Interestingly this shellcode is part of the Metasploit framework and takes care of the ‘phoning home’ part, providing backdoor access to the victim’s device.

The challenges in detecting Fileless malware are several. Since malicious components do not hit the disk, contextual memory and registry scans would be necessary, and these could result in performance degradation. The harnessing of legitimate binary components could lead to false positives causing system disruption. This paper provides in-depth technical details on the Fileless attack tactics, techniques, and procedures employed by cybercriminals to achieve memory-only infections and fileless persistence, employing OS and offensive tools and non-PE infection vectors. Methods to counter the TTPs of Fileless attacks would also be discussed.

Kaarthik R Muthukrishnan

Kaarthik is a Senior Threat Researcher at K7 Computing’s Threat Control Lab. He graduated from SSN College of Engineering (Chennai, INDIA) in 2007 with a Master’s degree in Computer Applications. He began his career as a Threat Research Analyst at Technosoft Corporation in 2008. Kaarthik joined K7 Computing’s Threat Control Lab in December 2010. Kaarthik has authored a paper for VB2017, co-authored a paper for AVAR 2013 and blogs on the K7 Computing blog site. Apart from security, Kaarthik is passionate about photography.

The Dynamic Security Ecosystem
Other Topics