Researchers have discovered a new malicious campaign using a never-before-seen technique for injecting Fileless malware on target systems.
Fileless malware are far from traditional malware that exploits executive files to infect systems, while the Fileless malware infiltrates servers’ Random Access Memory (RAM) of the targeted systems.
Flow of Fileless malware
The initial step was to lure the target to download the zipped archive of the purported security testing tools – Cobalt Strike and Silent Break.
The threat actors then use these security tools to inject more modules into windows trusted software to run malicious codes in the system.
“What piqued our attention was the very targeted nature of the campaign and the vast set of tools in use, including commercial ones.” Said Researcher, Denis Legezo
There were several anti-detection techniques involved but the most innovative technique is to hide the next stage malware as “8KB blocks of divided parts” in the binary part of Windows Event logs.
Next, a launcher is dropped into the Windows Tasks directory. “At the entry point, a separate thread combines all the aforementioned 8KB pieces into a complete shellcode and runs it,” the researcher wrote.
The other anti-detection decryptors were different compilers, Digital certificates-without legitimate software signature.
The final step is a Trojan with two communication mechanism,
- HTTP-based
- Named pipes-based
The attacks made by fileless malware leave no trace on the systems they infect, as all malicious activity is performed directly in RAM and no files are written to the hard drive.
With no trace left behind, the threat actor is able to evade the detection of signature-based antivirus software and many other security solutions.
“Along with the aforementioned custom modules and techniques, several commercial pentesting tools like Cobalt Strike and SilentBreak’s toolset are used.” Said Researcher Legezo.
Mitigations
- Use a reliable endpoint security solution.
- Install anti-APT and EDR solutions.
- Provide your security team with the latest threat intelligence and training.
- Integrate endpoint protection and employ dedicated services that can help protect against high-profile attacks.
Indicators Of Compromise
Dropper
| MD5 | SHA1 | SHA256 |
| 345A8745E1E3AE576FBCC69D3C8A310B | AF96578D7514826D4AD14EEF14FABB967FB1A87D | 5A17247C0ED62C4EFAA68F8AA14F407A2925DAB48D6441DB0FBCDCF9FEF18AF9 |
| 822680649CDEABC781903870B34FB7A7 | 5904CEF25E3A6D55D782038B3A63E2F4192B487F | 9C952008BA0E763B519B298A966D6B27E43283D87D793A18613F32982B7FAC16 |
| EF825FECD4E67D5EC5B9666A21FBBA2A | 3B43B4B72301CEFCBC535D0603FAA138C2F30888 | CD6DEDE5C6972E7A8E2D8D3166D41FCC9BF6670943F902041171D617FA7984B4 |
| FA5943C673398D834FB328CE9B62AAAD | 43E4C15E949AFE44EAA61CA2A6A64B0EFF63E719 | 6AB8FE97E67DEEDF572E6A04F1FA1B6B6390BE96D27D971C07B738BD0A576513 |
Logs code launcher
| MD5 | SHA1 | SHA256 |
| 2080A099BDC7AA86DB55BADFFBC71566 | 7BAAD47EE9D0D705C96E3AE771FFD3FA2CD18EA9 | 1B9283B51F7F23F101F40BC8AF2C1A10837416A56DBDDDECE47EB340CD4EEF97 |
| 0D415973F958AC30CB25BD845319D960 | 39955CBC7AAF4F10755D3131D0E1DDAEA9BF7B69 | 0404FD47A4B4E640E76847976A39FA71D571C0C48DE7B19CF9A5006DDDB26BDB |
| 209A4D190DC1F6EC0968578905920641 | 96270DD4485D5FD3C6004954B3559E85F0717084 | 356483C3708313A9ED4E789758377BEDA75A510EC3559B1067451885C8AA924F |
| E81187E1F2E6A2D4D3AD291120A42CE7 | 496611B79FA078D8FB7AE4C0209BA3A85E928BF3 | 6BF4DFF209B64C6A4547D20687C450731362A2C728B8A7B7EFCD54B581689A13 |
HTTP Trojan
| MD5 | SHA1 | SHA256 |
| ACE22457C868DF82028DB95E5A3B7984 | D4B1643EB01E0F868F5CCF877FCFDB28B81C027D | 84F76A6710E539425938EE9D3ED772B958232FAEFF67B0A53123A882EF13CF2C |
| 1CEDF339A13B1F7987D485CD80D141B6 | 0BCDD50563CBE57EF63F7189FC48C84A1F1C7626 | 4A8D933F20ADDB023D8C2B02598B163D5287E0B3F4793F4AAE7BEFB88C337DBC |
| 24866291D5DEEE783624AB51516A078F | 5B3BD7EC0409B118589676339D5747FD4C2B63FF | B9B6FD29FCC37F5107BD39CBF49B0C5F791795B88E3910E53EB1CDDE743B725A |
| 13B5E1654869985F2207D846E4C0DBFD | 75FEE85FEE9167848F5C8BC8CD92CC51CAFE2F13 | E13F5C4A5B8FE51DC2C83C9F7DA9AE10921384A5A37DE1B041FAFD5B8C41AF53 |
Named pipes trojan and similar
| MD5 | SHA1 | SHA256 |
| 59A46DB173EA074EC345D4D8734CB89A | 95570499AF45DD54AF5A1CBA81B40571B242BB57 | 729FE28BD5B4E9EBC2E078A52D91D5609A7AFA62E66F70E99D1BB27F74D8EEB5 |
| 0B40033FB7C799536C921B1A1A02129F | ED2872F8B6FBEBE84DCC5CD05836E7A75A934980 | BACE18CD34504F70B1A79ACF2A3A5DD44768EE6B8318FDA53CE09833D4B85930 |
| 603413FC026E4713E7D3EEDAB0DF5D8D | ED93E26626B1BBE83FFE5DD39EEABC5FE9B80AB9 | B9C3626678C3B260E20F04B9B95A06F713F573EFCA4C4B49BF5B0A6FA1458BB2 |
Anti-detection Wrappers / Decryptors / Launchers, not malicious by themselves
| MD5 | SHA1 | SHA256 |
| 42A4913773BBDA4BC9D01D48B4A7642F | B44D98554FAADF32A2915905D0E53F9360B80966 | 72B8468D64D16AF58BD0FEB5534B8097C76ED7DE4E325F6FE6700FC777BEDE9A |
| 9619E13B034F64835F0476D68220A86B | 6EE4A514BE5E7034FEEB8AFC500BF65F74242F18 | 2CB8AE508859CA2A8E683CFB096B5E975252BD7950F06CAC06DAE8BFD34C592C |
| 0C0ACC057644B21F6E76DD676D4F2389 | C33C6D7412F3231B3C735FB2A16284F1133C0D05 | 89C7EB2EAC726EC7FF216F00EF0E3C3EAB215B5D98E54A5435073E83F388BC26 |
| 16EB7B5060E543237ECA689BDC772148 | 6E1281A07123C262F5118C895FBEE7CAA188ED2D | 3B6EC690E2741E1EAE725B88B73B55F087007A675D4BA30CE36F6265CA277F7E |
| 54271C17684CA60C6CE37EE47B5493FB | 527D1CD145409101C99F8B508002CE6EEBEBA70F | 79DD4E8F27B834C818417BD1977255A21CA456EB2B7C6973C8EEB94D5BB0071F |
| 77E06B01787B24343F62CF5D5A8F9995 | 9D6A3DF1AA17428B39F9FC7A7DE56A494CDAB5A3 | CDEB35F8C3FA1369621646F264E3316B9663F5FA8DCE3DA008D685A511CB3EEF |
| 86737F0AE8CF01B395997CD5512B8FC8 | 42A64E2D0402DE59B29641F62A7504410699B496 | 67C19046519507ED8035236A806C0B5E59E23DC5E8BF57EB7C9C5C4319D850CD |
| 964CB389EBF39F240E8C474E200CAAC3 | 5F04597434BA235D2645161BDF0DCEE97EF30A2E | 29823DFD7766CFD4563E4C1781B5F29CB768DF69164D05D9C28A3FACFB68FB9D |
| 59A46DB173EA074EC345D4D8734CB89A | 95570499AF45DD54AF5A1CBA81B40571B242BB57 | 729FE28BD5B4E9EBC2E078A52D91D5609A7AFA62E66F70E99D1BB27F74D8EEB5 |
| A5C236982B0F1D26FB741DF9E9925018 | 0D55BC45FECE47262939CB0B207879C25A4FC76E | 2158739477B3C3653361B275F0318E535F383C80655DB704E67A36665F036886 |
| D408FF4FDE7870E30804A1D1147EFE7C | 2E6C0A3A9FCFB9ADEADABFCA41B173040C42425F | B938021806B9F289DF51EA4BE62E1A2652CC4BC5598C0B0FE5F4FBEA0E87E26A |
| DFF3C0D4F6E2C26936B9BD82DB5A1735 | 9782C68BE96257142698BD2530705D835B0FF76C | 5780D65CC3A66623C844C3EB4FFA499AABD5B772F3C86794B5856419AD2906E4 |
| E13D963784C544B94D3DB5616E50B8AE | 597B544556DA2D2E861702DE9158BD6A84502183 | 27483B0240D72CA2DD658DFA7824564C722F18FC0D184AD8046CFC4CAEEFD81F |
| E9766C71159FC2051BBFC48A4639243F | 928F7DFE9E12A575DA3AA5290809FC2319E6A1B3 | A3B5C65975C76B72F9D1064EA41AAB3A92A0A80CDBB469EC5665A78BFA439033 |
| F3DA1E157E3E344788886B3CA29E02BD | AAF24210EA84A33740D7E1BAB7EC27FE3406F005 | 8B1B16EB661E74C8768D8D516CD4AAA6574CF7022AB5B06086E9651E62BA150B |
Conclusion
For the reason aforementioned, the researchers have yet to determine the identity of the attackers. Also the researcher assured to update a name for this Fileless malware, if any new modules appeared.
The researcher concluded “the actor behind this campaign is quite capable.” “the code is quite unique, with no similarities to known malware.”
Leave A Comment