FileLess Malware Infections: Malware Tricks for Pentesters

and thank you hello everybody first I want to thank the organization for having invited me food to give this this talk and thank you all for for coming a I'm Rahman pinata I'm going to talk about fire less malware and what lesson can we learn from this kind of malware for for doing penetration testing or or hacking in in general so this is a small summary of what we're going to view first I'm going to present what is filed as malware what can we consider a file as malware then we are going to view some real-world examples and how can we build a penetration testing process based on this kind of techniques so I am from

Okinawa as I said before and I I work as pen tester I was working as pen tester for many years I currently work for procedure release a traditional physical security company but it's it's also doing cyber security now and I'm a Spanish I I work from for prosecutor and I prefer the offensive side of cybersecurity so this talk is more focus on day of the offensive side but they talk a lot of implication for the for the blue team for how to detect this kind of of attacks so first what what is a fight less Marwar a file as malware is a malicious code that doesn't need to create or to drop files on a system a

that kind of malware tries to move away from the traditional a traditional market rationale binary or monolithic manual and this this kind of malware always for persistent it this kind of malware always need to create something ought to leave something on the system but this this can be very small very high for for difficult in hits detection so I have mentioned that it's malware that move away from the traditional from the regular way of working of Marwood we went away from the from using regular files but in a computer system almost everything ends up in a file so we are talking about not using regular files for example most of the techniques we are going to view hide things in the

registry in a in a Windows system in the race to home the system hi fingers there the registry is how it's a it is not it's in a file but it's a it's a very big file it's a very complex file so nobody is going to upload this file to videos total or not going to to scan this kind of of big files so when we are speaking about files malware we have two kind of two types of techniques for from doing so we can not use code or Marvel malware at all for example we can modify the configuration of a system without leaving any file or anything on the system too bad but with this

configuration we can backdoor the system so we can access the system late it's like a bit louder let's try I have a bit of a cold mmm we can try to not use malware at all not in the pews code and we also can can use code but we can use code that never touches this we can hide this code in some places that are not files and we can obfuscate well we can hide this code from the security tools so we have to two different types of techniques why why malware it's everyday is every day we see most more this kind of of techniques with this kind of malware and this is why security tools

are are getting better so malware tries to evolve to to avoid detection and why this kind of techniques are interesting in pen testing so for the same reason we are not using file we can try to evade antivirus because most antivirus or security tools depend on a scanning a file or a scanning something for detection so if we don't have files we don't have anything to scan we don't have anything to upload to a sandbox we don't have anything to upload to to virustotal so that way working without files we are difficult in the detection working with without file is also a convenient for leaving a smaller forensic trail we leave less things from the system so we complicate the work for

for forensic analyst this kind of techniques are also useful in difficult environments environment where distillation of new things is restricted environments when it's hard to upload new things so if we are working without files we can work in this kind of environment and this kind of techniques adults are also useful in bypassing application whitelisting solutions because we are not working with files a application with this in solution usually work by blacklist or whitelist in some types of of ioniser of files even if we are not working with files it's easy for us to bypass this kind of technique to to work in this kind of environment I'm this kind most of these techniques are are useful for

almost any kind of environment but I mean focus more on Windows system that is the most a virtual environment in in penetration testing but some techniques are also useful for hacking lino sure we can of systems so we are trying to in this talk we are going to use the techniques use in file as malware for doing penetration testing but most of the malware that we are going to use as example is malware from from an apt operation advancing malware but apt is not the same as penetration testing in penetration testing we have big difference big differences with an IP t usually a penetration testing is a is Korea latina in a short frame of time we

have a small a smaller period of time to do the pen test yan on the contrary apt operation usually are long term usually in pen testing we don't need to to stay in a system a lot of time we usually don't need only a couple of days of persistent or sometimes we don't even persistent in a pen test engagement we have a scope and we try to we have a target and we try to get to that target the quick the quickly as possible on the contrary apt operation usually have long term and they attack us try to stay on the system and more time so from the from the lessons we are going to

learn from apt operations on or from final malware we are going to only use the the more the more simpler or the more the more effective for the same reason usually in pen testing we don't need access to the kernel of the system we are going we prefer simple techniques so usually we don't we don't use rootkit would care about that infection techniques I a lot of time because the scope of linkage bin doesn't allow us to do this kind of things on the contrary a bit operation usually one this kind of access to to have other a vendor hiding to have a more more degree of effectiveness so for the techniques we are going to view

when when apply these techniques to contesting with true we try to use the more simpler or the more effective one so usually with the we st stay in neutral and we don't use rootkit would get or about that infection technique and we are not using and say like implant or or so about the hood so in this talk we are going to to focus on simple and and you see to to carry out techniques and I have a video for showing you one of these techniques is a very common trick for penetration testing and stop this can you see the screen let me make it bigger it's not very clear

well I can explain you more or less in this technique we are going to to combine two we are going to create a backdoor on a system without creating any file and we are I don't know if we can have some so here

it's a full screen it's not they can do it bigger after the talk I'm going to hang this video in youtube you can review it but I'm I'm going we are going to combine two techniques for backdoor in the system we start creating any file first I'm going to a we are combined the terminal service that is available in all windows the remote desktop a with the hijacking of the sticky case binary the sticky key is binary in Windows is a binary data start when you hit upper case five times and it works everywhere in Windows even when when the user is not logged login so we are going to activate is not very easy to see but I'm

modifying to register quays to activate remote desktop on the system and by modifying one entry in the receipt of Windows I am hijacking the sticky keys binary and I replacing it by by the the CND the taxi the windows cell so when I hit the upper key key five times it will start a Windows command and not the the C case finally so I have I have activated the the remote desktop I have changed also for for for hiding the the backdoor I have changed the TCP port word Remote Desktop listens for using a another port and after that I am restarting the the service and also I need to open the windows firewall and

the the port sulfur for in the firewall so I have configured that but only by modifying three risk the entries on from a Windows system I only need to connect to this port therefore for for and open a remote desktop connection I don't have any credential or username and I hit the the uppercase key five times and I have a cell so with only three resist keys I come back the resistant in a way that I don't create any file I don't modify any file on the system and this vector has the additional hitter that there is no user logged on logged in the the cell is open a system sorry I have full control

of the of the Windows system and without creating any file so I am NOT going to be detected by any antivirus or most security tools it leaves very small forensic trail so it's hard to detect and to prevent and in three with three simple commands I have installed a backdoor on our system so this is the idea of this kind of the off techniques

so what what are they the challenges of a file s malware file as malware need to achieve two things file as malware needs to keep code to hide code in a part of the of the system it can't create file so we need to keep our code in in other places and we need to execute that code we need a fresher stage to launch that malware so we need we have to two challenges how do we keep code without files so we have a lot of different places to choose for example we can't keep the code in memory various some famous malware families use this kind of of hiding the problem with this with with keeping all the code in memory and

not keeping anything on disk is that we don't have persistent so it only works in high up timing system if the system reboots we lost we lost the code a the malware so we have another techniques to to solve that we can also store the code in non file or non regular file storage for example the registry as I said before the registry is a typical place where malware heights of malware can't hide so well we we can hide code that is not the file system for example we can hide code outside the file system in the you UEFI in the HDD firmware in hidden this areas but for this kind of hiding we need rootkit capabilities we can do

it from new zealand so this kind for this talk this kind of of hiding is not it's not interesting what other places we can use for hiding code for example we can store code in the cloud in the network and make that our first stage download this this code is not a perfect solution because the system can be isolated or can can lose the network connection but we can we can try to do that and place where a lot of malware tries to hide this is a traditional place for hiding it's in the metadata of the file system in a in an NTFS file system we have what we call a DES alternate data stream this metadata associated

associated with a file and we can hide in malware there there are a lot of families of malware that use this technique for hiding this these techniques are are useful by by by a lot of malware families and is more traditional this is more a more watch by antivirus and security tools but we have another more more new ways of non regular file inaudible our storage for example it's very common in in new waves of apt groups to use WMI a windows management interface subscription for hiding and for executing code this this subscribe zone let lets us to a store code in in the windows system that is not in any in any file so it's a good

way for forhead code we can also use the windows 7 files to hide to hide code it's windows 7 have a feel where where we can store code and we can call that code later the this dot EVT are are also files but but are big files and almost no security tool s can this kind of file so we can keep code hidden in in this event another option is hide code in office document and docx files PDF files I'm not talking about in fact him by word macro I'm at macro reuse I'm talking only about using a legit file files that that are already in the system for hiding malicious code inside of these

files this is not a very a very good option for hiding code because these files are because because the kind of files are nowadays one of the main ways of infections they are usually very controlled very watched by antivirus and security software but sometimes we can use it for storing code not not for infection but for for hiding things instead of them and we have more more new techniques for example we can use the space that we have in file or the directory names or the space we have an environment variables to keep code inside of of this we can chunk our payload in small chunks we can store this code in these places in file or

directory name we have 255 bytes of space we we can use a small chunk of code and distribute among different file names annum with environment variables we have a 4 4096 bytes of space for storing code so we can still store code there I haven't seen any animal aware or any proof of concept that use this this kind of a storage for or for keeping malware but it could be done and I have one small example of this kind of technique let's see this one shows whether

okay so a we tango in a I'm going to combine some of these techniques I'm going to backdoor a system to install a backdoor on a system using three three stages the first stage is going to be in the registry and what I mean by what I'm doing is adding run key in the registry for the malware for the backward the backdoor to a star and this is the entry I have created an entry called win logon that makes a call to the window shell see indeed a taxi and load what they call a stage to our second stage this entry is is not very stealth is a bit noisy a malware analyst can can detect this kind of of backdoor

in but I don't I am not including any malware I need malicious code in this entry so antivirus automated the scanners agree the scanner are not going are going to to be difficult to detect this kind of of backdoor II so the first stage is very small and very simple and can can be compassed undetected so this is our first stage the second stage I'm going to include it in a environment variable in Windows I can create persistent and biomen variables like in like in Linux and I'm going to create an environment variable with this name called stage two and this environment variable contains an small chunk of PowerShell code I'm going to I have this

this second stage which it is a very simple PowerShell only a line of power cell and what this code does is reading the content DCIS get content of this folder is this a folder in the desktop called demo and we call the code that is stored in this in this folder so we have created only one registry entry and one environment where more so I'm going to log log out and login again to check if the backdoor is is working and the backdoor that that the I have created for this demo it's a simple Metasploit fellow that opens a calculator so I'm logging and I am logging and log in again and the backdoor is a simulated backdoor is

going to do pop-up so let's see this is the folder demo this is the folder where the payload is and here we have the calculator but the let's go it is going to see what is inside this this former well this is the contents of the folder as you can see size 0 white there is nothing there contains thorough set of files but here's the trick 32 folders there is not completely empty there are folders in there so let's see what happens if we open the folder

so the folder is empty there's nothing nothing here somebody can come thing what is happening it's a sympathetic I have configured the folder to be hidden if we configure Windows Windows by default doesn't solve either hidden folder but if we configure the folder the windows for for so in the hidden folder here he is what the real payload is and the payload is a simple meters Metasploit pillow encoded in base64 but a split in chunks that use the names of the folder for forgetting the malicious code if we upload this kind of files to virus total they are empty folder so there is no detection and we can keep code hidden in the system without doing detector so we are

trying to make the detection of traditional antivirus tracing our security to do more more difficult change in the place where we can store the code so we have our first challenge that is where we can keep code and we have another challenge how can we load how can we execute that code that we have a stored in the in these places we have some option for example we can call that code remotely or inject the they start in the first stage via our an exploit a remote exploit but this this is not very convenient if every time I want to reinfect the system they have to make a remote call it's not very it's not very useful for for persistence so

usually we don't we don't have this kind of of techniques another option is if is to load our first stage from a remote system for example using a remote nibbler share with by a SMB or by a web dub I can configure for example another start program that is located in a remote folder this way we don't keep anything in in this in this in this file system but it's not very useful because a forensic analyst could detect where the initial payload is and half a copy of them so we have to try other options and the most common option used by malware that works file s is to use scripting languages in the demo as I

showed you before the second estate was a small power cell power cell is a very powerful scripting language in Windows and is the option that most malware used for doing things the problem is for the problem for pentesters is that the last the latest version of Power Cell 1/2 more security 1/2 more restriction and generate a lot of Windows have been they have more logging capabilities because power cell is is the option for most malware creator so the weak Microsoft is is including more security features and power cell to difficulty in this kind of of attacks so power cell is not the best option because it easy to to detect it leaves a lot of forensic trails so

another option is to use the traditional JavaScript or visual basic scripting that is integrated in all Windows versions so we can use this kind of Street for load a first stage for our Marvel one of the advantages of this kind of scripting is that we can load this kind of script from different tools for example we can use three strip we can use MSAT from the LS 32 we can use different binaries for load this kind of of scripted and all these binaries are by default in our Windows version so we can choose our way of lunch in the marwah and another option we have for the first stitch of our Marvel is to use the net assemblies

that mean assemblies can be loaded remotely so we can use any of these tools to load a remote binary a remote don't let assembly for launch in our our Malwa so what's what's the conclusion that for for creating our file less penetration framework usually a a penetration testing framework it's a bunch of tools that we when we compromise a system we upload and we create a were able to keep that and we use that this system to attack others what what we do we need to create the same type of framework without files without uploading anything to the system so we need tools already installed on the system for example something some of that one

of this tool we need to choose what are the ones we we need and we need to create code to to be launched by these tools we need tools there is that allows receiving external input we need tools that work without the need of creation of creating any files or creating or using files on the system so we need tools that allows us to suit to send input remotely or to hit an input via a command line so we don't need any files for for working and as a bonus point if the tools are signed by Microsoft or this tool are created by Microsoft so our are signed all these tools if they are signed by Microsoft is easy to use

them for bypassing for example application whitelisting reefa e-excuse me it will have an application a whitelist application solution that allows Microsoft application to run we can use any of these tools to bite they were enlisting to execute our code so if the tools are sign it's a better real-world examples I have selected some malware families that are very successful in the field and that are very efficient and all these tools all of this malware families work in a file this way the concept of file less malware is not new we have example of malware that don't doesn't use files even in 2003 but it's malware that is not not very it's they are warm they are

not they don't have halo they don't have many functionalities but there are some examples the first one of the first cases of finest malware that have one said capabilities is public Pollock's is usually recognized one of the first and most famous finest malware and public open the door for this kind of module Pollock's was very successful malware family that had a lot of strain a lot of variant and was very successful Pollock's it was not detected by many antivirus moderate and wise product in in months so it what it was very very successful and how well how well it worked the infection usually was carried out body by a word macro so you it was

not fully malwa a fully filed were a finalist excuse me the the infection was carried out using a file but after that the malware becomes fully five finalists the first stage is a run key it's a bit noisy and easy to detect but most antivirus doesn't detect this this the centuries and after that the malware first it loaded javascript code as much junk a javascript code that a loaded a PowerShell code that was encrypted and unofficial aided in the another registry entry on this this Power Cell injected a DLL Inara mal were a traditional manner malware in the memory ephah of a legit process so this is an example these are they the registry where the malware hide this is

the initial run DLL load and this is the second stage encrypted so an antivirus tool can can detect it another successful malware family file s malware family was WMI goes POW Alex was financially motivated malware but WMA host is animal were used in a PT operation so WMA ghost used a different strategy the infection and deployment of the malware was done using files so it created some files on the system but after that it became fully fully file s so after all the initial files were deleted from the system the malware created w event definition w consumers so it remains in the system in its root and it doesn't need any any type of file

the the first stage of the malware was JavaScript and then it loaded our winery malware there are there are some different variants so the ones we have seen our malware but in 2015 a a group of people created Empire Empire was one of the first penetration testing framework it was a remote administration tool at all Australian tour to do protection testing a using file less techniques and this this tool tries to be as finely as possible trying to work trying to work always from memory these are very complete a tool for for penetration testing it has a lot of features yet it has a lot of option for persistent storage it has a lot of

option for for today for the loading of the of the of the tool so it's a very good example of a file s penetration testing kit and we can it we can end the review of famous malicious malware files malware without speaking about Dooku I may be for the name do you know you don't remember but Dooku - was famous for infected Kaspersky it was a malware used by any PT group to infect a malware company and it infected a lot of system in this company by using file s strategies a new malware mainly stays hidden him in memory and only a few selected host in the network keep the the Mogollon in in in disk so

it was very hard to detect and a well the initial infect your vector was done by MSI packages but after that they they may well becomes fully fireless so what lessons can we learn from this malware family we can learn techniques that allows us to bypass the security tools antivirus and we can learn from his behavior how can we create and pentesting a strategy or a pen testing policy for bin undetected offering me more hard to detect so what is that the common file is a marvel behavior most of this malware has minimal states for making Morrisey to hide the first state for making harder to detect this this first state and usually they use a small

script in a small javascript or visual basic script and not directly for worship our cell is easier to detect but this scripting languages doesn't have for example doesn't have capabilities for memory injection so for doing the memory injection they usually use a second or third stage based on power cell that makes the injection of the of the the main body of the of the module and the third stage the main functionality of the malware usually is a traditional in binary malware is containing the dll or or or Alexi file but this binary never touches this it's always encrypted or hidden in a way that it can be detected so let's let's build our penetration testing framework using

this these techniques first we need a way for infecting a system without using any files to to reduce or to difficult the detection of this kind of file these this is not common even the the malware familias we have seen use files in this in this phase so it's not it's not easy to exploit the system without using any files but there are some exploit that come we can use for this kind of of infection for example we can use exploit that are in the inside a stream of a protocol that uses streams we can use we can try to split lower network layers like SSL or SMB protocols or we can try to attack open network services so we

don't need to send any kind of fire we had a perfect example of this kind of exploit this year in eternal blue eternally a it was almost the perfect file exploit it was unexploited very difficult to detect for security tools even after Microsoft published a patch published a vulnerability most security tools dozen detected this kind of exploit nowadays is a very popular nowadays a lot of tools detect this kind of exploit but when they when sprite was published most security tools doesn't work with this kind of ploy and it was the perfect final exploit because it injected the pay law in the memory of the kernel of the attacker machine without creating any file without

transmitting any file and it wasn't in direct injection in memory so it was very very hard to detect if we can achieve finally infection then we need to create a file s backdoor for example the one I have used in the first video we can activate remote access a remote desktop for example and we can hijack some binary that could be opened for for backdoor in the system we have also the traditional way of creating a burglar in a system that is adding a user with administrator capabilities and use this account for launching remote commands in Windows we have a lot of options to launch remote command we can use PSX act like a common execution we can use WMI

we can use schedule a task we can use win remote remote in that way we don't create without install anything on the system and we can access the system later we can also create silver golden ticket we can run a technique that I like because it's also very simple a very powerful is to configure proxy in the system and to weaken the security of the system for example this this technique is even possible in in an iPhone and iPhone it's a very secure a very restricted environment most of all in the in the last version because Apple restrict a lot what can we stall on a phone it's very hard to install a backdoor to install

malware in an iPhone because Apple doesn't allow us on the step tuna if the mobile is a jailbroken that is not very common but we can modify the configuration if we can it's very difficult to install a malware even if we have physical access but we have this physical asset to the phone we can change the configuration we can configure a proxy so all the IP traffic of the phone goes through a rogue proxy a malicious proxy and nowadays most communication use SSL are encrypted so we have to weaken the security of the phone for example if we can we need to inspect SSL traffic we can install a rogue certificate authority in the phone so we can do

money in the middle of the SSL traffic so we can decrypt the traffic for the phone so very restrictive environment that doesn't allow us twist alle backdoor via configuration modification we can we can achieve some kind of wandering on the last the last thing we need in our perfect pen test file espionage operation is installing some kind of persistent we have some option most of them using will find registry of the star entries we can create a run entry we can create a remote schedule at pass we can use tell you my we can create a service is the condition of a window service is also in the registry so we can create our customer service

usually all this kind of persistent is too noisy for a human analyst but they are very hard to detect with an automated tools if we have you SCADA payload or it will use simple code that doesn't contain a malicious action so that way we can achieve persistent without creating many many detected evidences so conclusions a we can carry we can learn a policy relation a validation from this malware and we can carry full appendage operation with these techniques we had use any files or almost any infant and leaving very few were very difficult to detect a small chunk of code for for persistent so a we are seen every day more and more Marvel families that are

using this kind of techniques and in pen testing we are going to be to view more and more this kind of techniques because they are very useful for white bison oblique security security tools so question comments I'm going to to put this the videos in YouTube and I understand that this light is going to be to be put online so 20 question this is my Twitter account

[Applause]