Blog

Quick Heal Security Labs
An analysis of the fileless malware by Quick Heal Security Labs
August 8, 2017

The fileless malware is a malware family that does not leave any trace of its infection in the affected file system. Also known as the ‘memory resident virus’, this type of malware hides in the registry and memory making it difficult for traditional antivirus software to identify the infection. However, this synonym can now be considered as partially correct as fileless malware are self-evolving steadily and gaining persistence and residence in the location that are difficult to detect.

A fileless malware can also reside in the infected systems as a ‘registry-based malware’. With this type, the malware resides in the Window’s registry without being present on the disk. In order to make its stay persistent, the malware also ensures it gets reloaded in the memory once the compromised system is restarted.

Analysis by Quick Heal Security Labs

Quick Heal Security Labs has observed a similar fileless malware (sometimes known as ‘Powershell Malware’) that uses Powershell to load Base64 encoded shell scripts stored in the Window’s registry leading to the Click Fraud Malware Campaign.

fileless1

Fig 1. Browsing Protection alert for malicious website

The incident came to our notice when one of our Malware Reporting Systems started receiving continuous Browsing Protection alerts against a malicious website ‘https://soplifan.ru”. Upon analysis, it was found that the same domain was triggered as malicious on several other systems at the same time. This was found to be the result of a fileless malware that eventually tried accessing the detected malicious website.

Digging deeper into the incident, we found the malware to be residing only in the registry sub keys of the compromised computer. This is likely an outcome of malicious spam emails and exploit kits.

The first footprint of the malware is found in the run entry of the current user as shown in figure 2 below.

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{CLSID}
fileless2-jpg

Fig 2. Malicious Autorun CLSID key found in run entry of the infected system

The registry key contains the below malicious commands which are used to load the actual malware code.

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\HZMUQQOTHEK’).QJBBSZWJ)));

Based on the command, Powershell will get auto-launched after startup and will execute the Base64 encoded script from HKCU:\Software\Classes\HZMUQQOTHEK with ‘QJBBSZWJ’ parameter. To ensure a successful and uninterrupted execution, the script is launched in a non-interactive and bypass mode.

fileless3-jpg

Fig 3. HKCU:\Software\Classes entry with encoded script for Execution and memory Code injection

The decoded code in HKCU:\Software\Classes\HZMUQQOTHEK contains blocks of code to decrypt the code further for execution and performs a Reflective PE code injection as shown in figure 4.

The malware uses ‘CreateRemoteThread’ and API such as, ‘VirtualAlloc’, ‘VirtualAllocEx’, ‘WriteProcessMemory’, and ‘ReadProcessMemory’ to do so.

Fig 4. RC4 decryption process on the malicious code.

Fig 4. RC4 decryption process on the malicious code.

 

Fig 5. cmdlet used by powershell for memory code injection.

Fig 5. cmdlet used by powershell for memory code injection.

The process execution can be seen in figure 5 below which shows the malicious process tree.

Fig 6. Malware process execution tree.

Fig 6. Malware process execution tree.

As shown in figure 6, Powershell launches the malicious script code from Classes resulting in a memory code injection into Werfault.exe and msiexec.exe. As a result, “https://soplifan.ru” gets continuous hist from the victim’s system. Due to the continuous attempt to connect to this URL, the malware tends to perform a Click Fraud Activity.

Read more about click fraud malware

Quick Heal Protection
Quick Heal successfully detects the malicious registry entries used in the Click Fraud Malware Campaign and protects its user’s system from the infection.

fileless7

Fig 7. An overview of how the malware works

Security measures to stay away from malware attacks

  • Use a reliable antivirus software that puts layers of defense between your computer and malware threats. Keep the software up-to-date.
  • Keep your Operating system and other software such as Adobe, Java, Internet browsers, etc., up-to-date.
  • Avoid websites that throw unnecessary or lots of advertisements.
  • Install software only from genuine and trusted sources only.
  • Do not click on links or download attachments received in unknown, unwanted or unexpected emails.
  • Always keep a secure backup of your important data.

 

Acknowledgment

  • Subject Matter Expert
    Dipali Zure | Quick Heal Security Labs

SHARE THIS STORY

Have something to add to this story? Share it in the comments.

Quick Heal Security Labs
About Quick Heal Security Labs
Quick Heal Security Labs is a leading source of threat research, threat intelligence, and cybersecurity. It analyzes data fetched from millions of Quick Heal...
Articles by Quick Heal Security Labs »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image