In this article, Fileless malware has been analyzed and explained in detail. Let’s start.
0:001> What is Fileless Malware?
A fileless malware is a malicious code that exists only in memory rather than installed to the target computer’s hard drive.
Fileless malware is written directly to RAM. The code is injected into some running process, which is then used for executing the malicious code. Fileless malware usually arrive by visiting a malicious website, which then may be redirected to after clicking the attacker’s ad (malvertisement). Because the malware doesn’t exist as a file, it can often evade intrusion prevention systems and antivirus programs.
0:002> Fileless malware sample details
Sample Name: Powerliks
0:003> Powerliks Analysis
The malware on its execution, first calls rundll32.exe which then calls powershell.exe:
powershell.exe will then injects code into dllhost.exe and this dllhost.exe will run as an infected process:
There are some interesting API calls just before powershell.exe terminates. This image has been taken from (https://malwr.com/analysis/NGFlMjQwNGU1MWQ3NDIwY2I0MTU3MzZjNjE3Mj dlNzM):
These API calls are called as Process Hollowing. Malware authors frequently use techniques to hide code behind a legitimate process. These techniques, known as ‘code injection’, are used to perform actions from within the context of another process. By doing so, the malware can force a legitimate process to perform actions on its behalf, such as downloading additional trojans or stealing information from the system. Code injection is a smart way to trick users and process monitoring tools into believing that a legitimate program is running, whereas the actual program that is running is different.
Process hollowing is a code injection technique where a process is created in a suspended state and where the process memory is replaced with the code of second malicious program. After the process memory has been hollowed and replaced with malicious code, the process is resumed.
Code injection can also be seen using volatility’s malfind plugin:
Finding the network connections of infected dllhost.exe:
dllhost.exe connects to: 126.96.36.199 and 188.8.131.52.
This article was specific to the Poweliks malware but the techniques discussed will apply to other fileless malware.