09 August 2017

An analysis of the fileless malware by Quick Heal Security Labs

Written by Rajib Singha

The fileless malware is a malware family that does not leave any trace of its infection in the affected file system. Also known as the ‘memory resident virus’, this type of malware hides in the registry and memory making it difficult for traditional antivirus software to identify the infection. However, this synonym can now be considered as partially correct as fileless malware are self-evolving steadily and gaining persistence and residence in the location that are difficult to detect.

A fileless malware can also reside in the infected systems as a ‘registry-based malware’. With this type, the malware resides in the Window’s registry without being present on the disk. In order to make its stay persistent, the malware also ensures it gets reloaded in the memory once the compromised system is restarted.

Analysis by Quick Heal Security Labs

Quick Heal Security Labs has observed a similar fileless malware (sometimes known as ‘Powershell Malware’) that uses Powershell to load Base64 encoded shell scripts stored in the Window’s registry leading to the Click Fraud Malware Campaign.

Fig 1. Browsing Protection alert for malicious website

The incident came to our notice when one of our Malware Reporting Systems started receiving continuous Browsing Protection alerts against a malicious website ‘https://soplifan.ru”. Upon analysis, it was found that the same domain was triggered as malicious on several other systems at the same time. This was found to be the result of a fileless malware that eventually tried accessing the detected malicious website.

Digging deeper into the incident, we found the malware to be residing only in the registry sub keys of the compromised computer. This is likely an outcome of malicious spam emails and exploit kits.

The first footprint of the malware is found in the run entry of the current user as shown in figure 2 below.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{CLSID}

fileless2-jpg — Fig 2. Malicious Autorun CLSID key found in run entry of the infected system

The registry key contains the below malicious commands which are used to load the actual malware code.

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\HZMUQQOTHEK’).QJBBSZWJ)));

Based on the command, Powershell will get auto-launched after startup and will execute the Base64 encoded script from HKCU:\Software\Classes\HZMUQQOTHEK with ‘QJBBSZWJ’ parameter. To ensure a successful and uninterrupted execution, the script is launched in a non-interactive and bypass mode.

fileless3-jpg — Fig 3. HKCU:\Software\Classes entry with encoded script for Execution and memory Code injection

The decoded code in HKCU:\Software\Classes\HZMUQQOTHEK contains blocks of code to decrypt the code further for execution and performs a Reflective PE code injection as shown in figure 4.

The malware uses ‘CreateRemoteThread’ and API such as, ‘VirtualAlloc’, ‘VirtualAllocEx’, ‘WriteProcessMemory’, and ‘ReadProcessMemory’ to do so.

Fig 4. RC4 decryption process on the malicious code.

Fig 5. cmdlet used by powershell for memory code injection.

The process execution can be seen in figure 5 below which shows the malicious process tree.

As shown in figure 6, Powershell launches the malicious script code from Classes resulting in a memory code injection into Werfault.exe and msiexec.exe. As a result, “https://soplifan.ru” gets continuous hist from the victim’s system. Due to the continuous attempt to connect to this URL, the malware tends to perform a Click Fraud Activity.

Related Posts