SlideShare ist ein Scribd-Unternehmen logo

Sans london april sans at night - tearing apart a fileless malware sample

M
Michel Coene

This presentation was created based on a sample we found. At first sight this looked to be a standard fileless cryptocurrency mining malware, however, when looking a bit further, we noted that this malware had some other tricks up its sleeve. This presentation starts with an introduction into how fileless malware works and how to detect it, a short introduction into cryptocurrency mining and of course the analysis of the sample itself.

Technologie
1 von 48
Downloaden Sie, um offline zu lesen
Michel Coene Tearing apart a fileless malware sample SANS@Night
Tearing apart a fileless malware sample About us 2 Michel Coene DFIR and Threat hunting @ NVISO SANS Instructor development program @coenemichel
Tearing apart a fileless malware sample What will we talk about today 3 Introduction Fileless malware Cryptocurrency mining malware Tearing apart a sample!
Tearing apart a fileless malware sample What will we talk about today 4 Introduction Fileless malware Cryptocurrency mining malware Tearing apart a sample!
Tearing apart a fileless malware sample The cyber kill chain 5 Reconnaissance Delivery Installation Action on Objectives Weaponization Exploitation Command & Control
Tearing apart a fileless malware sample What will we talk about today 6 Introduction Fileless malware Cryptocurrency mining malware Tearing apart a sample!
Tearing apart a fileless malware sample What is fileless malware 7 Fileless malware is malicious computer code that exclusively exists in memory and does not write any part of its activity to disk Persistent Non-persistent
Tearing apart a fileless malware sample Persistent fileless malware • Fileless malware 8 Installation
Tearing apart a fileless malware sample Combining best of both worlds 9 Installation
Tearing apart a fileless malware sample How it works – deep dive 10 New process (exe) or existing process (DLL) New process Existing process Win32: CreateProcess Win32: LoadLibrary AV
Tearing apart a fileless malware sample How it works – deep dive How does fileless malware work • Inject code 11 Process (ex. Explorer.exe) Win32: CreateProcess Custom loader Malicious code
Tearing apart a fileless malware sample How it works – deep dive – Fileless code 12 • The code for fileless malware can take several forms: • Shellcode • VirtualAlloc • WriteProcessMemory • CreateThread/CreateRemoteThread • DLL • Custom loader • Reflective loader • … • Advantage of coding a DLL • Many powerful development tools (Visual Studio) • Reusing code
Tearing apart a fileless malware sample How it works – deep dive - PowerShell 13 • PowerShell is a very powerful programming language • Win32 API • .NET Framework • ActiveX • … • Facilitates administration of Windows (legitimate application) • So versatile and powerful that it is often used as loader and host for fileless malware • powershell –Command … • Powershell –EncodedCommand …
Tearing apart a fileless malware sample How it works – deep dive - PowerShell 14 Library .NET code
Tearing apart a fileless malware sample How it works – deep dive - PowerShell 15 Encoded Command Library .NET code
Tearing apart a fileless malware sample How to detect? 16 No files you say?
Tearing apart a fileless malware sample How to detect? 17
Tearing apart a fileless malware sample How to detect? 18 HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKCU SoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
Tearing apart a fileless malware sample How to detect? 19
Tearing apart a fileless malware sample How to detect? 20
Tearing apart a fileless malware sample How to detect? 21 Hunt for suspicious registry run keys and scheduled tasks Behavior based detection Look for known IOCs: - C2 traffic - Specific registry keys - Specific scheduled tasks Prevent known malicious items from entering your environment
Tearing apart a fileless malware sample What will we talk about today 22 Introduction Fileless malware Cryptocurrency mining malware Tearing apart a sample!
Tearing apart a fileless malware sample Cryptocurrency mining malware - What is it? What does it do? 23 Action on Objectives
Tearing apart a fileless malware sample In browser mining 24 Delivery Source: blog.malwarebytes.com
Tearing apart a fileless malware sample Evolution from ransomware to cryptocurrency mining malware 25 • Ransomware attacks are becoming harder to execute • Microsoft adding Controlled folder access feature to Windows Defender Security for Windows 10 users to prevent malicious (or unexpected) alteration of important files. • Everyone advises against paying • Easily detected • Countries and regions available that cannot pay the ransom • Cryptocurrency mining often flies under the radar Source: blog.fortinet.com
Tearing apart a fileless malware sample Implications for companies 26 • Power • Cost • Might harm production environment (CPU, stability, might kill processes, etc)
Tearing apart a fileless malware sample What will we talk about today 27 Introduction Fileless malware Cryptocurrency mining malware Tearing apart a sample!
Tearing apart a fileless malware sample Detecting malware • AV detection for files originally based on signatures (sequence of bytes / heuristics) • On disk, Windows has provided filters for the file system (intercept all bytes accessed from disk) • A similar mechanism does not exist for memory •  AV detection bypass • Next option to detect fileless malware: observe behavior • Is this program encrypting files? Strange, this could be ransomware … • Is this program mining crypto currency? OK, this could be benign … • Not all AVs have (advanced) behavior analysis engines Process AV
Tearing apart a fileless malware sample Our sample • How did we know there was malware about? • No AV alerts • Observed TCP connections to a Monero mining pool • Observed a PowerShell process consuming a lot of CPU • How did we sample the malware? • Specialized task managers like Process Explorer can inspect the command line of processes • powershell -EncodedCommand QQBkAGQALQBUAHk… • … and show the parent process • task scheduler • The BASE64-decoded PowerShell script accessed a value in the registry • {95EF38A4-95F9-55C1-55302E9FD8427349}=AAAId0wBAAOWAAADKWBNWpAA… • Create mem dump of process & carve executables
Tearing apart a fileless malware sample The loader Registry 32-bit/64-bit BASE64
Tearing apart a fileless malware sample The loader Win32 API Win32 API
Tearing apart a fileless malware sample The “package” Embedded PE file
Tearing apart a fileless malware sample The “package” The “package” is known to VirusTotal, and triggers AV
Tearing apart a fileless malware sample The “package” “Trojan injector cvt” does not yield valuable information
Tearing apart a fileless malware sample The “package” The carved DLL has been analyzed before, without success
Tearing apart a fileless malware sample Dynamic analysis • No useful info online: We had to analyze the sample ourselves • Create a .ps1 file combining the loader and the “package” • Focus dynamic analysis • Submit it to sandboxes • Run it on physical machine
Tearing apart a fileless malware sample Mining activity • Tearing apart a sample
Tearing apart a fileless malware sample Mining activity On 22/02/2018: - 1 XMR = 255 EUR - 600 XMR = 153 156 EUR On 17/04/2018 - 1 XMR = 161 EUR - 663 XMR = 106 743EUR
Tearing apart a fileless malware sample Mining activity Time in UTC
Tearing apart a fileless malware sample Mining activity • Tearing apart a sample
Tearing apart a fileless malware sample Worm activity Scanning port 445? An EternalBlue worm?
Tearing apart a fileless malware sample Worm activity EternalBlue/Shellcode Gitlab “Package” 1) Persistence on Windows XP: file based 2) Persistence on > Windows XP: fileless SMB1 = 0 Immunize!
Tearing apart a fileless malware sample Worm activity Active since August 2017 A history of versions
Tearing apart a fileless malware sample Info stealing activity Why is it accessing these files? Why is it connecting to Tor?
Tearing apart a fileless malware sample Info stealing activity FileZilla storing credentials
Tearing apart a fileless malware sample Info stealing activity FileZilla credentials file read into memory FileZilla credentials decoded
Tearing apart a fileless malware sample Concluding 51 Miner Worm Info stealer
Q&A @coenemichel 53

Empfohlen

Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacksBalaji Rajasekaran
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19SelectedPresentations
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
Nguyen Duc Thinh - Docker security in Dev Ops environment 2.0
Nguyen Duc Thinh - Docker security in Dev Ops environment 2.0Nguyen Duc Thinh - Docker security in Dev Ops environment 2.0
Nguyen Duc Thinh - Docker security in Dev Ops environment 2.0Security Bootcamp
 

Empfohlen

Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacksBalaji Rajasekaran
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19SelectedPresentations
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
Nguyen Duc Thinh - Docker security in Dev Ops environment 2.0
Nguyen Duc Thinh - Docker security in Dev Ops environment 2.0Nguyen Duc Thinh - Docker security in Dev Ops environment 2.0
Nguyen Duc Thinh - Docker security in Dev Ops environment 2.0Security Bootcamp
 
Ch0 1
Ch0 1Ch0 1
Ch0 1TylerDerdun
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryJoe Desimone
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit KitsJoe Desimone
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysissecurityxploded
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enoughSumedt Jitpukdebodin
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis Cysinfo Cyber Security Community
 
Antivirus is hopeless
Antivirus is hopelessAntivirus is hopeless
Antivirus is hopelessSumedt Jitpukdebodin
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memorysecurityxploded
 
Investigating Hackers' Tools
Investigating Hackers' ToolsInvestigating Hackers' Tools
Investigating Hackers' ToolsIsrael Umana
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersTazdrumm3r
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 

Weitere ähnliche Inhalte

Was ist angesagt?

Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryJoe Desimone
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit KitsJoe Desimone
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysissecurityxploded
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memorysecurityxploded
 
Investigating Hackers' Tools
Investigating Hackers' ToolsInvestigating Hackers' Tools
Investigating Hackers' ToolsIsrael Umana
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersTazdrumm3r
 

Was ist angesagt? (20)

Ch0 1
Ch0 1Ch0 1
Ch0 1
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit Kits
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
 
Antivirus is hopeless
Antivirus is hopelessAntivirus is hopeless
Antivirus is hopeless
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Investigating Hackers' Tools
Investigating Hackers' ToolsInvestigating Hackers' Tools
Investigating Hackers' Tools
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
 

Ähnlich wie Sans london april sans at night - tearing apart a fileless malware sample

Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdflior mazor
 
CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)PROIDEA
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software rajakhurram
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Hacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical HackingHacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical HackingRavi Sankar
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith Jones, PhD
 

Ähnlich wie Sans london april sans at night - tearing apart a fileless malware sample (20)

Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
 
CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Hacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical HackingHacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical Hacking
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Tech w23
Tech w23Tech w23
Tech w23
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
 

Kürzlich hochgeladen

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Sans london april sans at night - tearing apart a fileless malware sample

  • 1. Michel Coene Tearing apart a fileless malware sample SANS@Night
  • 2. Tearing apart a fileless malware sample About us 2 Michel Coene DFIR and Threat hunting @ NVISO SANS Instructor development program @coenemichel
  • 3. Tearing apart a fileless malware sample What will we talk about today 3 Introduction Fileless malware Cryptocurrency mining malware Tearing apart a sample!
  • 4. Tearing apart a fileless malware sample What will we talk about today 4 Introduction Fileless malware Cryptocurrency mining malware Tearing apart a sample!
  • 5. Tearing apart a fileless malware sample The cyber kill chain 5 Reconnaissance Delivery Installation Action on Objectives Weaponization Exploitation Command & Control
  • 6. Tearing apart a fileless malware sample What will we talk about today 6 Introduction Fileless malware Cryptocurrency mining malware Tearing apart a sample!
  • 7. Tearing apart a fileless malware sample What is fileless malware 7 Fileless malware is malicious computer code that exclusively exists in memory and does not write any part of its activity to disk Persistent Non-persistent
  • 8. Tearing apart a fileless malware sample Persistent fileless malware • Fileless malware 8 Installation
  • 9. Tearing apart a fileless malware sample Combining best of both worlds 9 Installation
  • 10. Tearing apart a fileless malware sample How it works – deep dive 10 New process (exe) or existing process (DLL) New process Existing process Win32: CreateProcess Win32: LoadLibrary AV
  • 11. Tearing apart a fileless malware sample How it works – deep dive How does fileless malware work • Inject code 11 Process (ex. Explorer.exe) Win32: CreateProcess Custom loader Malicious code
  • 12. Tearing apart a fileless malware sample How it works – deep dive – Fileless code 12 • The code for fileless malware can take several forms: • Shellcode • VirtualAlloc • WriteProcessMemory • CreateThread/CreateRemoteThread • DLL • Custom loader • Reflective loader • … • Advantage of coding a DLL • Many powerful development tools (Visual Studio) • Reusing code
  • 13. Tearing apart a fileless malware sample How it works – deep dive - PowerShell 13 • PowerShell is a very powerful programming language • Win32 API • .NET Framework • ActiveX • … • Facilitates administration of Windows (legitimate application) • So versatile and powerful that it is often used as loader and host for fileless malware • powershell –Command … • Powershell –EncodedCommand …
  • 14. Tearing apart a fileless malware sample How it works – deep dive - PowerShell 14 Library .NET code
  • 15. Tearing apart a fileless malware sample How it works – deep dive - PowerShell 15 Encoded Command Library .NET code
  • 16. Tearing apart a fileless malware sample How to detect? 16 No files you say?
  • 17. Tearing apart a fileless malware sample How to detect? 17
  • 18. Tearing apart a fileless malware sample How to detect? 18 HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKCU SoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
  • 19. Tearing apart a fileless malware sample How to detect? 19
  • 20. Tearing apart a fileless malware sample How to detect? 20
  • 21. Tearing apart a fileless malware sample How to detect? 21 Hunt for suspicious registry run keys and scheduled tasks Behavior based detection Look for known IOCs: - C2 traffic - Specific registry keys - Specific scheduled tasks Prevent known malicious items from entering your environment
  • 22. Tearing apart a fileless malware sample What will we talk about today 22 Introduction Fileless malware Cryptocurrency mining malware Tearing apart a sample!
  • 23. Tearing apart a fileless malware sample Cryptocurrency mining malware - What is it? What does it do? 23 Action on Objectives
  • 24. Tearing apart a fileless malware sample In browser mining 24 Delivery Source: blog.malwarebytes.com
  • 25. Tearing apart a fileless malware sample Evolution from ransomware to cryptocurrency mining malware 25 • Ransomware attacks are becoming harder to execute • Microsoft adding Controlled folder access feature to Windows Defender Security for Windows 10 users to prevent malicious (or unexpected) alteration of important files. • Everyone advises against paying • Easily detected • Countries and regions available that cannot pay the ransom • Cryptocurrency mining often flies under the radar Source: blog.fortinet.com
  • 26. Tearing apart a fileless malware sample Implications for companies 26 • Power • Cost • Might harm production environment (CPU, stability, might kill processes, etc)
  • 27. Tearing apart a fileless malware sample What will we talk about today 27 Introduction Fileless malware Cryptocurrency mining malware Tearing apart a sample!
  • 28. Tearing apart a fileless malware sample Detecting malware • AV detection for files originally based on signatures (sequence of bytes / heuristics) • On disk, Windows has provided filters for the file system (intercept all bytes accessed from disk) • A similar mechanism does not exist for memory •  AV detection bypass • Next option to detect fileless malware: observe behavior • Is this program encrypting files? Strange, this could be ransomware … • Is this program mining crypto currency? OK, this could be benign … • Not all AVs have (advanced) behavior analysis engines Process AV
  • 29. Tearing apart a fileless malware sample Our sample • How did we know there was malware about? • No AV alerts • Observed TCP connections to a Monero mining pool • Observed a PowerShell process consuming a lot of CPU • How did we sample the malware? • Specialized task managers like Process Explorer can inspect the command line of processes • powershell -EncodedCommand QQBkAGQALQBUAHk… • … and show the parent process • task scheduler • The BASE64-decoded PowerShell script accessed a value in the registry • {95EF38A4-95F9-55C1-55302E9FD8427349}=AAAId0wBAAOWAAADKWBNWpAA… • Create mem dump of process & carve executables
  • 30. Tearing apart a fileless malware sample The loader Registry 32-bit/64-bit BASE64
  • 31. Tearing apart a fileless malware sample The loader Win32 API Win32 API
  • 32. Tearing apart a fileless malware sample The “package” Embedded PE file
  • 33. Tearing apart a fileless malware sample The “package” The “package” is known to VirusTotal, and triggers AV
  • 34. Tearing apart a fileless malware sample The “package” “Trojan injector cvt” does not yield valuable information
  • 35. Tearing apart a fileless malware sample The “package” The carved DLL has been analyzed before, without success
  • 36. Tearing apart a fileless malware sample Dynamic analysis • No useful info online: We had to analyze the sample ourselves • Create a .ps1 file combining the loader and the “package” • Focus dynamic analysis • Submit it to sandboxes • Run it on physical machine
  • 37. Tearing apart a fileless malware sample Mining activity • Tearing apart a sample
  • 38. Tearing apart a fileless malware sample Mining activity On 22/02/2018: - 1 XMR = 255 EUR - 600 XMR = 153 156 EUR On 17/04/2018 - 1 XMR = 161 EUR - 663 XMR = 106 743EUR
  • 39. Tearing apart a fileless malware sample Mining activity Time in UTC
  • 40. Tearing apart a fileless malware sample Mining activity • Tearing apart a sample
  • 41. Tearing apart a fileless malware sample Worm activity Scanning port 445? An EternalBlue worm?
  • 42. Tearing apart a fileless malware sample Worm activity EternalBlue/Shellcode Gitlab “Package” 1) Persistence on Windows XP: file based 2) Persistence on > Windows XP: fileless SMB1 = 0 Immunize!
  • 43. Tearing apart a fileless malware sample Worm activity Active since August 2017 A history of versions
  • 44. Tearing apart a fileless malware sample Info stealing activity Why is it accessing these files? Why is it connecting to Tor?
  • 45. Tearing apart a fileless malware sample Info stealing activity FileZilla storing credentials
  • 46. Tearing apart a fileless malware sample Info stealing activity FileZilla credentials file read into memory FileZilla credentials decoded
  • 47. Tearing apart a fileless malware sample Concluding 51 Miner Worm Info stealer