What is Fileless malware?

Fileless malware are types of malicious code used in cyber attacks that don’t use files to launch the attack and carry on the infection on the affected device or network. The infection is run in the RAM memory of the device, so traditional antivirus and antimalware solutions can’t detect it at all. Malicious hackers use fileless malware to achieve stealth, privilege escalation, to gather sensitive information and achieve persistence in the system, so the malware infection can continue to carry on its effect for a longer period of time.

Creating Obstacles For Forensics

Malware Researcher’s Published a Researcher paper Under Proof of Concepts(PoC) in EForensics Magazine, Infection attack is very simple: the request made by the victim’s machine goes through a channel in which there is an attacker’s proxy that will capture the requests made by the target machine. For example, assuming that the victim visits a website that contains n1n3 (here disguised as an image for the WhatsApp application).

                                                          The attack scenario

How it Works ?

Once downloaded, the n1n3 will run on the target machine, releasing the doors of this machine for data capture.Once its role in the victim machine is completed, the n1n3 self-destructs. The attack is the drive-by-download type and the appeal is the availability of images to the messaging application.

Attacks of this nature are common and are made daily in search of an unsuspecting user. The victim views a website with an image that it downloads (one n1n3 container is the image). The n1n3 runs and connects to the proxy and the attacker exploits the victim machine.

In our scenario, the proxy server was set to be the intermediary between the victim and the
attacker.

The proxy scenario simulating a server of the attacker already configured on the victim machine, starting this moment all shipping this victim will pass the attacker’s server, and this full facility to collect the most relevant information, the passwords banks, email, and social networks, but also can make connections and kidnap a victim using this machine to make more complex attacks.

The attacker’s proxy is configured with packet capture tools (like sniffers), causing all traffic to be diverted so it can be captured .

                                                  Proxy simulation

The structure of n1n3.exe is a small malicious artifact with size 182kb in a binary file. Once running on the victim machine its size becomes little more than being 184kb .

We can clearly see in the figure below that n1n3 is presented under a Whatsapp icon, forcing an attractive social engineering to careless user.

                                            1.  Structure of n1n3.exe

Below image shows ,Your script has instructions for variants that directly affect the registry W10, disabling vital registry system functions, such as the firewall, changing the port connection and the Defender’s defense properties and changing important key features of the system

                                    2.  The structure of n1n3.exe

The features that the script n1n3 has show below: access to important libraries like USER32.dll and LoadLibraryAGetProcAddress is evidence that malware needs these libraries to work.

“Another important function of n1n3 is to operate at the level of Kernel32, calling procedures in free memory (VirtualFree) and allocation (VirtualAlloc), respectively, at the addresses 0x00410F50 and 0x00410F4C, both at the operating level of the Kernel.”

                           3.  The library’s requisition of n1n3.exe

Up to this point of the research, we can identify the address where n1n3.exe begins the execution on the victim machine at the address 0x0040F390

                          4.  Start pointer address of n1n3.exe

The Sysinternals can detect the process n1n3.exe, in this case the PID is 3320. But then the process disappears as if it had been finished. Initially, the PID 3320 appears in green, then marked in red.

Researcher’s said “This is the forensic challenge of our research. The processes marked in a green color are processes that starton the machine. When it is marked in a red color this means that the process (jobs and handles) has finished, but n1n3 is still in an operating state.”

                       5.   The “Narnia realm” of n1n3 malware

Evidence of malicious artifacts

As if we are archaeologists looking for evidence of malicious artifacts on the victim machine basically using Sysyinternal as an ally in this quest, we chose a dynamic analysis and run the n1n3 the second time, now with PID 2688.

What did we find?

First of all, the distribution of the n1n3 memory requests show that the area destined for the own memory heap 1488k with a stack of 3072K against a paging table with only 336k. This shows us that the n1n3 has an interesting fragmentation.

                                      6.    In the depths of HD

Despite the process being identified as finalized, it is observed that the file’s timeline shows that it is possible to identify the mapped the n1n3.exe files with a high fragmentation distributed in various ways of the W10 system.

                                      7.  Mapped file of n1n3.exe

The offsets of ntdll.dll libraries point to the addresses 0x5008d 0x72e50 (Figure 13). All other offsets point to the location of the file on the C drive in the “Users” folder where the careless user installed n1n3.

This feature of Sysinternals, called Call Tree, is extremely important when we are looking for evidence that the malicious artifact is still running in the background and was not finalized. An inattentive user could interpret this signal as if the file was inactive in the system.

                               8.  Offsets and ntdll.dll libraries

Some other evidence that n1n3 is still in the system and making requests even with low intensity of use of themachine memory may be observed in the figures below.

The malicious file is still requesting the rpcrt4.dll services at 0x4036a1 address with the clear intention of causing collateral fault system (known vulnerability and released for part of Windows systems [6]).

The implementation of n1n3 listed on Heap area is 0x405ef7 for addressing, but its location is 0x5ef7 and 0x4036a1 .

                             9. Heap Allocations for ntdll.dll

Researcher’s said ,Finally,considering that we still have ongoing research, our next goal will be to explore the n1n3 by adding more code elements in the script becoming more evasive to the point of fragmentation and can apply “fileless malware” name.

Disclaimer

Malicious code created in the laboratory solely for research purposes. The last stage of the research will be the defenses proposition, based on the Windows platform.

Original Author’s & Credits :

  •     PEREIRA, Paulo Henrique – Researcher at the University Nove de Julho
  •     BORBOLLA, Renato Basante Security and Computer Forensics consultant
  •     FERREIRA, Thiago Geronimo – Security and Computer Forensics consultant
  •     VIEIRA, Rubens Louro –  Researcher –information security

References

[1]. http://www.cert.br/stats/incidentes/2014-jan-dec/tipos-ataque-acumulado.html
[2]. http://globalsecuritymap.com/#br
[3]. http://brazil.emc.com/emc-plus/rsa-thought-leadership/online-fraud/index.htm#!resources
[4]. MUGGAH, R. and THOMPSON, N. Brazil’s Cybercrime Problem. Foreign Affairs. In: https://www.foreignaffairs.com/articles/south-america/2015-09-17/brazils-cybercrime-problem
[5] https://www.unodc.org/documents/data-and-analysis/tocta/10.Cybercrime.pdf
[6] https://support.microsoft.com/en-us/kb/2958386

Also Read :