Unlike most malware, which requires user installation, fileless malware typically operates without writing anything to the hard drive.
Explaining malware which resides only in RAM
Unlike traditional malware, which typically involves downloading and running an executable file, fileless malware operates in the system’s memory (RAM) and often exploits legitimate tools (like PowerShell, WMI, or Windows Registry) and scripts already present on the target system (such as JavaScript or VBScript).
This means that fileless malware has unique attack vectors, installation, persistence and execution mechanisms. Here’s how malware which resides in RAM compares to traditional malware:
<thead> <tr>
<th colspan="3" rowspan="1">
Fileless vs Traditional Malware Compared </th>
</tr>
</thead><tbody> <tr>
<td>
Trait </td>
<td>
Traditional Malware </td>
<td>
Fileless Malware </td>
</tr>
<tr>
<td>
Example families </td>
<td>
Viruses (e.g., ILOVEYOU), Trojans (e.g., Zeus), Worms (e.g., Conficker) </td>
<td>
PowerShell-based (e.g., Poweliks), Memory-based (e.g., Kovter) </td>
</tr>
<tr>
<td>
Installation </td>
<td>
Installs on disk, alters file systems </td>
<td>
Executes in memory, often leveraging trusted tools (e.g., PowerShell) </td>
</tr>
<tr>
<td>
Persistence mechanism </td>
<td>
Registry modifications, startup folder </td>
<td>
WMI event subscriptions, registry modifications without file-based payloads </td>
</tr>
<tr>
<td>
Detection evasion </td>
<td>
Obfuscation, polymorphism, packing </td>
<td>
Avoids disk writes, leverages living-off-the-land binaries (LOLBins) </td>
</tr>
<tr>
<td>
Execution method </td>
<td>
Executable files, DLL injection </td>
<td>
Script-based (e.g., JavaScript, VBS), process hollowing </td>
</tr>
<tr>
<td>
Payload delivery </td>
<td>
Downloaded files, email attachments </td>
<td>
Scripts, macros, legitimate software exploitation </td>
</tr>
<tr>
<td>
Typical IOCs </td>
<td>
File hashes, static file signatures </td>
<td>
Behavioral patterns, anomalous script execution </td>
</tr>
<tr>
<td>
Forensic trace </td>
<td>
File remnants, hard drive artifacts </td>
<td>
Memory artifacts, log analysis (e.g., command line arguments) </td>
</tr>
<tr>
<td>
Common attack vectors </td>
<td>
Phishing emails, drive-by downloads </td>
<td>
Phishing with macros, exploitation of software vulnerabilities </td>
</tr>
</tbody></table>
Why is fileless malware hard to detect and analyze?
Traditional antivirus programs are designed to scan the file system for known malware signatures, but fileless malware leaves no files to scan.
Instead, it executes malicious activities directly in a computer’s RAM. This memory residency means there’s no persistent file on the hard drive for antivirus software to detect, making the malware essentially invisible to these traditional security measures.
Moreover, fileless malware often leverages built-in, trusted tools that are inherently considered safe and are necessary for the normal functioning of the system. For example, a fileless malware might use PowerShell scripts to execute commands, move laterally across a network, or even fetch additional payloads — all activities that could be mistaken for regular administrative tasks.
Adding to these challenges is the use of advanced obfuscation and evasion techniques, like:
- Encrypting payloads in memory
- employing polymorphic code that changes every time it runs
- Utilizing stealthy command-and-control channels
All of this combined allows attackers to achieve a very low footprint.
Fileless malware poses analysis challenges, too
Analyzing fileless malware presents unique digital forensics challenges, primarily due to its volatile nature. Since fileless malware operates in a system’s memory (RAM), once an infected system is rebooted, the malware and its associated artifacts in memory are typically lost, making post-incident analysis particularly challenging.
For instance, malware like Kovter or Poweliks, which reside in and execute directly from the Windows Registry, leave minimal forensic evidence on the disk.
Detecting malware that resides only in RAM
To detect fileless malware, you need to focus on identifying anomalous behavior indicative of malicious activity. Here are some techniques you can use:
Behavioral analysis
This involves monitoring system memory, processes, and network traffic for unusual patterns. For example, an unexpected spike in PowerShell or WMI activity, especially involving commands known to be associated with malicious operations, can be a red flag.
Another key strategy is proactive threat hunting
This is when security teams actively search for IoCs within their environment. Focus on areas where fileless malware commonly operates, such as in-memory processes and system logs. Techniques like memory dumping and analysis can be employed to examine running processes for signs of injected code or other anomalies.
The easiest and safest way to perform behavioral analysis is in ANY.RUN
Register for freeIn ANY.RUN, you can test malware samples within a secure cloud setup. This setup isolates the malware, allowing the sandbox to capture important data from network activity, processes and memory dumps.
You can also use the Script Tracer tool, which is crucial for examining how scripts behave. It helps you trace and understand the steps of an infection, especially with script-based malware.
Read about analyzing scripts in ANY.RUN
Explaining typical fileless malware techniques
Having a good grasp of these techniques will help you identify and analyze RAM-residual malware.
1. PowerShell exploitation:
PowerShell is commonly exploited by fileless malware for its ability to execute complex operations without generating executable files. Usually, it’s leveraged to download and run payloads directly from memory and bypass scripting restrictions.
2. Registry-based persistence
Fileless malware often uses the Windows Registry, a database for configuration settings, to achieve persistence without leaving traditional files on disk. It embeds malicious code in registry keys, which can be executed via legitimate Windows processes.
3. Memory injection and hollowing
This technique involves injecting malicious code into the memory space of legitimate processes. Fileless malware may ‘hollow out’ a legitimate process – replacing its code in memory with malicious code while maintaining the process’s appearance. For example, a common approach is to inject code into the memory space of a trusted system process like explorer.exe.
4. Script-based execution
Fileless malware often utilizes scripts, such as JavaScript or VBScript, executed directly in memory or via legitimate scripting engines like WSH. Scripts can be obfuscated and stored in non-executable files (like Word documents), which are then interpreted and executed entirely in memory.
Examples and history of fileless malware
Historically, early examples like the Code Red worm in 2001 exploited memory vulnerabilities, hinting at the potential of fileless strategies. By 2014, Poweliks emerged, pioneering true fileless tactics by residing entirely in the Windows Registry.
The subsequent years saw a surge in sophistication, exemplified by the Angler Exploit Kit, which exploited browser vulnerabilities to execute attacks directly in memory. The trend continued with attacks like Kovter, evolving from ransomware to click-fraud, leveraging fileless techniques for persistence and obfuscation. Notably, APT groups like APT29 (Cozy Bear) integrated fileless methods for espionage, using in-memory execution and legitimate system tools to remain undetected.
Here are some notable instances of memory-residing malware both from history and more recent times:
- Operation Cobalt Kitty: A targeted attack by the OceanLotus (APT32) group, this campaign used a fileless technique involving PowerShell scripts and the Windows Management Instrumentation for espionage purposes.
- Stuxnet: While not entirely fileless, certain aspects of Stuxnet, particularly its propagation methods and some payloads, demonstrated fileless characteristics. Stuxnet was groundbreaking in its use of multiple zero-day exploits and its targeting of industrial control systems.
- REvil/Sodinokibi ransomware: This more modern ransomware has shown fileless characteristics in some of its infection vectors, using memory-resident payloads and leveraging legitimate tools for execution and spreading.
Today, fileless malware is popular among APT groups and sophisticated adversaries. It’s often employed in targeted attacks against high-profile targets, which call for a low footprint. It’s safe to say that as a malware analyst, DFIR, or SOC specialist, fileless threats are some of the most challenging you’ll get to work with.
Wrapping up
Fileless malware, despite its sophistication, is not immune to thorough behavioral analysis. Tools like ANY.RUN have significantly simplified this process, making it easier to detect and analyze such advanced malicious programs.
ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.
Request a demo today and enjoy 14 days of free access to our Enterprise plan.
The post Which type of malware resides only in RAM? Explaining fileless malware appeared first on ANY.RUN's Cybersecurity Blog.
Article Link: Malware that resides in RAM: Explaining fileless malware