Fileless infections: an overview

To date, there are a number of so-called fileless infections. By fileless infections or fileless malware, we are referring to an infection or malware that does not write any files to the infected system’s hard drive.

By leaving as little traces behind as possible, malware authors try to postpone detection by security vendors for as long as possible. Which is another big step in the arms war between malware and security products and the process of making file-based detections by security vendors something of the past.

In some modern exploit kits (Angler in particular), fileless infection is rapidly becoming the run-of-the-mill method. If we want to classify fileless infections, the first split will be depending on whether the infection wants to be resident or if it will be gone after doing its job or sometimes after a reboot.

Hit and Run

Based on that property USB Thief, PowerSniff and exploit kits can be categorized as “hit and run” malware. They run on the infected system, do their job and disappear. This makes it hard for researchers to get samples and study their behavior.

  • Fileless exploit kits run directly in memory and often seen in malvertising. They can fingerprint the system that they are active on and then infect them further by downloading and running other malware.
  • PowerSniff is spread by mail as a macro in an attached Word document. It gathers information on the infected system and sends that to a Command & Control server.
  • USB Thief resides on infected USB devices installed as a plugin in popular portable software. It gathers information on the targeted system and writes that to the USB device.

Here to stay

And then there are the likes of Poweliks, PhaseBot and Kovter that use rootkit techniques to hide in the Windows registry.

  • Poweliks uses a “NULL” Runkey (which makes the content invisible) in the registry to run a JavaScript and uses PowerShell to run an encoded script hidden elsewhere in the registry. It steals system information and has the ability to download and install other malware.
  • PhaseBot uses PowerShell to run components that are encoded scripts it has hidden in the registry. PhaseBot can execute commands issued by the botnet operator.
  • Kovter uses non-ASCII characters to create unreadable registry keys that hold obfuscated JavaScript. The JavaScript in turn executes PowerShell loading a script that was created as well. Kovter is a Trojan famous for its screen-locks (FBI Ransomware) and click-fraud activities.

Summary

We discussed the most well-known fileless infections to date and gave brief descriptions of how they operate. For more elaborate descriptions of the above mentioned fileless infections, we encourage you to check out the following links:

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.