Windows 10: Windows Defender - Now you see me: Exposing fileless malware

Brink · Jan 23, 2018

WINDOWS DEFENDER RESEARCH

In Windows, Windows Defender Advanced Threat Protection, Endpoint Security, Threat Protection, Best Practices and How-Tos, Research

Attackers are determined to circumvent security defenses using increasingly sophisticated techniques. Fileless malware boosts the stealth and effectiveness of an attack, and two of last year’s major ransomware outbreaks (Petya and WannaCry) used fileless techniques as part of their kill chains.

The idea behind fileless malware is simple: If tools already exist on a device (for example PowerShell.exe or wmic.exe) to fulfill an attacker’s objectives, then why drop custom tools that could be flagged as malware? If an attacker can take over a process, run code in its memory space, and then use that code to call tools that are already on a device, the attack becomes more difficult to detect.

Successfully using this approach, sometimes called “living off the land”, is not a walk in the park. There’s another thing that attackers need to deal with: Establishing persistence. Memory is volatile, and with no files on disk, how can attackers get their code to auto-start after a system reboot and retain control of a compromised system?

Misfox: A fileless gateway to victim networks

In April 2016, a customer contacted the Microsoft Incident Response team about a case of cyber-extortion. The attackers had requested a substantial sum of money from the customer in exchange for not releasing their confidential corporate information that the attackers had stolen from the customer’s compromised computers. In addition, the attackers had threatened to “flatten” the network if the customer contacted law enforcement. It was a difficult situation.

Quick fact
Windows Defender AV detections ofMisfox more than doubled in Q2 2017 compared to Q1 2017. The Microsoft Incident Response team investigated machines in the network, identified targeted implants, and mapped out the extent of the compromise. The customer was using a well-known third-party antivirus product that was installed on the vast majority of machines. While it was up-to-date with the latest signatures, the AV product had not detected any targeted implants.

The Microsoft team then discovered that the attackers attempted to encrypt files with ransomware twice. Luckily, those attempts failed. As it turned out, the threat to flatten the network was a plan B to monetize the attack after their plan A had failed.

What’s more, the team also discovered that the attackers had covertly persisted in the network for at least seven months through two separate channels:

The first channel involved a backdoor named Swrort.A that was deployed on several machines; this backdoor was easily detected by antivirus.

The second channel was much more subtle and interesting, because:

It did not infect any files on the device

It left no artifacts on disk

Common file scanning techniques could not detect it

Should you disable PowerShell?
No. PowerShell is a powerful and secure management tool and is important for many system and IT functions. Attackers use malicious PowerShell scripts as post-exploitation technique that can only take place after an initial compromise has already occurred. Its misuse is a symptom of an attack that begins with other malicious actions like software exploitation, social engineering, or credential theft. The key is to prevent an attacker from getting into the position where they can misuse PowerShell. For tips on mitigating PowerShell abuse, continue reading. The second tool was a strain of fileless malware called Misfox. Once Misfox was running in memory, it:

Created a registry run key that launches a “one-liner” PowerShell cmdlet

Launched an obfuscated PowerShell script stored in the registry BLOB; the obfuscated PowerShell script contained a reflective portable executable (PE) loader that loaded a Base64-encoded PE from the registry

Misfox did not drop any executable files, but the script stored in the registry ensured the malware persisted.

Fileless techniques

Misfox exemplifies how cyberattacks can incorporate fileless components in the kill chain. Attackers use several fileless techniques that can make malware implants stealthy and evasive. These techniques include:

Reflective DLL injection
Reflective DLL injection involves the manual loading of malicious DLLs into a process’ memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors like macros and scripts. This results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha.

Memory exploits
Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, and has been observed to install the DoublePulsar backdoor, which lives entirely in the kernel’s memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX does not drop any files on disk.

Script-based techniques
Scripting languages provide powerful means for delivering memory-only executable payloads. Script files can embed encoded shellcodes or binaries that they can decrypt on the fly at run time and execute via .NET objects or directly with APIs without requiring them to be written to disk. The scripts themselves can be hidden in the registry (as in the case of Misfox), read from network streams, or simply run manually in the command-line by an attacker, without ever touching the disk.

WMI persistence
We’ve seen certain attackers use the Windows Management Instrumentation (WMI) repository to store malicious scripts that are then invoked periodically using WMI bindings. This article [PDF] presents very good examples.

Fileless malware-specific mitigations on Microsoft 365

Microsoft 365 brings together a set of next-gen security technologies to protect devices, SaaS apps, email, and infrastructure from a wide spectrum of attacks. The following Windows-related components from Microsoft 365 have capabilities to detect and mitigate malware that rely on fileless techniques:

Tip
In addition to fileless malware-specific mitigations, Windows 10 comes with other next-gen security technologies that mitigate attacks in general. For example, Windows Defender Application Guardcan stop the delivery of malware, fileless or otherwise, through Microsoft Edge and Internet Explorer. Read about the Microsoft 365 security and management features available in Windows 10 Fall Creators Update. Windows Defender Antivirus

Windows Defender AV blocks the vast majority of malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Windows Defender AV protects against fileless malware through these capabilities:

Detecting script-based techniques by leveraging AMSI, which provides the capability to inspect PowerShell and other script types, even with multiple layers of obfuscation

Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed

Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring

Windows Defender Exploit Guard

Windows Defender Exploit Guard (Windows Defender EG), a new set of host intrusion prevention capabilities, helps reduce the attack surface area by locking down the device against a wide variety of attack vectors. It can help stop attacks that use fileless malware by:

Mitigating kernel-memory exploits like EternalBlue through Hypervisor Code Integrity (HVCI), which makes it extremely difficult to inject malicious code using kernel-mode software vulnerabilities

Mitigating user-mode memory exploits through the Exploit protection module, which consists of a number of exploit mitigations that can be applied either at the operating system level or at the individual app level

Mitigating many script-based fileless techniques, among other techniques, through Attack Surface Reduction (ASR) rules that lock down application behavior

Tip
On top of technical controls, it is important that administrative controls related to people and processes are also in place. The use of fileless techniques that rely on PowerShell and WMI on a remote victim machine requires that the adversary has privileged access to those machines. This may be due to poor administrative practices (for example, configuring a Windows service to run in the context of a domain admin account) that can enable credential theft. Read more about Securing Privileged Access. Windows Defender Application Control

Windows Defender Application Control (WDAC) offers a mechanism to enforce strong code Integrity policies and to allow only trusted applications to run. In the context of fileless malware, WDAC locks down PowerShell to Constrained Language Mode, which limits the extended language features that can lead to unverifiable code execution, such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects. This essentially mitigates PowerShell-based reflective DLL injection attacks.

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (Windows Defender ATP) is the integrated platform for our Windows Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) capabilities. When it comes to post breach scenarios ATP alerts enterprise customers about highly sophisticated and advanced attacks on devices and corporate networks that other preventive protection features have been unable to defend against. It uses rich security data, advanced behavioral analytics, and machine learning to detect such attacks. It can help detect fileless malware in a number of ways, including:

Exposing covert attacks that use fileless techniques like reflective DLL loading using specific instrumentations that detect abnormal memory allocations

Detecting script-based fileless attacks by leveraging AMSI, which provides runtime inspection capability into PowerShell and other script-based malware, and applying machine learning models

Microsoft Edge

According to independent security tester NSS Labs, Microsoft Edge blocks more phishing sites and socially engineered malware than other browsers. Microsoft Edge mitigates fileless malware using arbitrary code protection capabilities, which can prevent arbitrary code, including malicious DLLs, from running. This helps mitigate reflective DLL loading attacks. In addition, Microsoft Edge offers a wide array of protections that mitigate threats, fileless or otherwise, using Windows Defender Application Guard integration and Windows Defender SmartScreen.

Windows 10 S

Windows 10 S is a special configuration of Windows 10 that combines many of the security features of Microsoft 365 automatically configured out of the box. It reduces attack surface by only allowing apps from the Microsoft Store. In the context of fileless malware, Windows 10 S has PowerShell Constrained Language Mode enabled by default. In addition, industry-best Microsoft Edge is the default browser, and Hypervisor Code Integrity (HVCI) is enabled by default.

Zaid Arafeh

Senior Program Manager, Windows Defender Research team
Click to expand...

Source: Now you see me: Exposing fileless malware Microsoft Secure

:)

Rob Koch · Jan 23, 2018

recording levels automatically being muted and set to zero

Looking at the MalwarebytesLabs description for that
Rootkit.Fileless.MTGen detection shows why an Antivirus like Defender may not detect it, since it isn't a file based infection and combines rootkit techniques as well per the following excerpt.

"Rootkit.Fileless.MTGen is the generic detection for fileless infections that use a

rootkit to hide their presence. In the majority of the cases, they use registry keys that are designed to run Powershell commands that carry out the rest of the infection. Other than Powershell, we have also seen the
mshta command.

More information about fileless infections can be found in our blog post,
Fileless Infections: An Overview."

Hope that does solve your problem, which from your research seems likely.

Marking a post as answer is more valuable than either the optional "Helpful" or "Solved my problem" selections, since this suppresses the default display of other response posts and highlights those marked by the owner as providing the best answer. The
other 2 options are really intended for use by others viewing the thread, since only the thread originator or a moderator can select an answer.

Rob

IngeAgly · Jan 23, 2018

Malicious softwares crashed my system down and I can't even open Windows Defender!

There were no malwares detected using all the scanners you provided to scan my PC but there's still with problem starting Windows Defender. Under Control Panel\System and Security\Security and Maintenance, Virus Protection & Spyware and unwanted software
protection are both off and cannot be turned on. If Windows Defender keeps not available, it means my PC will be at risk and exposed to viruses. If there aren't any further ways to resolve it, perhaps I'll restore my system from a proper restore point.

lx07 · Jan 23, 2018

How is storing data that "Created a registry run key" and "Launched an obfuscated PowerShell script stored in the registry BLOB" in some way "fileless"?

It isn't - unless you want to argue about the semantics of the word "file" where anything (even a script or program) in the registry doesn't count.

This is an odd quote too:

Should you disable PowerShell?
No.
Click to expand...

Probably a better answer would be:

Should you disable PowerShell?
Yes. If you don't need it and want to be more secure then do indeed disable it as then PowerShell based exploits will not impact you.
Click to expand...

Windows 10: Windows Defender - Now you see me: Exposing fileless malware

Windows Defender - Now you see me: Exposing fileless malware

Windows Defender - Now you see me: Exposing fileless malware

Windows Defender - Now you see me: Exposing fileless malware

Windows Defender - Now you see me: Exposing fileless malware - Similar Threads - Defender Exposing fileless

AVG inform me that my laptop is exposed with trojan malware

AVG inform me that my laptop is exposed with trojan malware

AVG inform me that my laptop is exposed with trojan malware

Rootkit/malware screen of death. If you see this lock screen, you are infected

Fileless Registry Trojan

Malware Bytes and Windows Defender

Now you don't see me - and now you see

Now you see it, Now you don't

Fileless malware: The smart person's guide