{"id":79862,"date":"2018-01-24T06:00:21","date_gmt":"2018-01-24T14:00:21","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=79862"},"modified":"2023-09-11T15:54:21","modified_gmt":"2023-09-11T22:54:21","slug":"now-you-see-me-exposing-fileless-malware","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/01\/24\/now-you-see-me-exposing-fileless-malware\/","title":{"rendered":"Now you see me: Exposing fileless malware"},"content":{"rendered":"

(Note: For a comprehensive categorization of fileless malware and a complete list of Microsoft technologies that can protect against these elusive threats, read the latest blog post: Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV<\/a><\/strong>)<\/em><\/p>\n\n\n\n
What exactly is fileless?<\/strong>
\n\"WhatRead latest blog post: Out of sight but not invisible: Defeating fileless malware<\/a><\/strong>
\n<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Attackers are determined to circumvent security defenses using increasingly sophisticated techniques. Fileless malware boosts the stealth and effectiveness of an attack, and two of last year\u2019s major ransomware outbreaks (Petya<\/a> and WannaCry<\/a>) used fileless techniques as part of their kill chains.<\/p>\n

The idea behind fileless malware is simple: If tools already exist on a device (for example PowerShell.exe<\/em> or wmic.exe<\/em>) to fulfill an attacker\u2019s objectives, then why drop custom tools that could be flagged as malware? If an attacker can take over a process, run code in its memory space, and then use that code to call tools that are already on a device, the attack becomes more difficult to detect.<\/p>\n

Successfully using this approach, sometimes called \u201cliving off the land\u201d, is not a walk in the park. There\u2019s another thing that attackers need to deal with: Establishing persistence. Memory is volatile, and with no files on disk, how can attackers get their code to auto-start after a system reboot and retain control of a compromised system?<\/p>\n

Misfox: A fileless gateway to victim networks<\/h2>\n

In April 2016, a customer contacted the Microsoft Incident Response team about a case of cyber-extortion. The attackers had requested a substantial sum of money from the customer in exchange for not releasing their confidential corporate information that the attackers had stolen from the customer\u2019s compromised computers. In addition, the attackers had threatened to “flatten” the network if the customer contacted law enforcement. It was a difficult situation.<\/p>\n\n\n\n
Quick fact<\/strong>
\nWindows Defender AV detections of Misfox<\/a> more than doubled in Q2 2017 compared to Q1 2017.
\n<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The Microsoft Incident Response team investigated machines in the network, identified targeted implants, and mapped out the extent of the compromise. The customer was using a well-known third-party antivirus product that was installed on the vast majority of machines. While it was up-to-date with the latest signatures, the AV product had not detected any targeted implants.<\/p>\n

The Microsoft team then discovered that the attackers attempted to encrypt files with ransomware twice. Luckily, those attempts failed. As it turned out, the threat to flatten the network was a plan B to monetize the attack after their plan A had failed.<\/p>\n

What\u2019s more, the team also discovered that the attackers had covertly persisted in the network for at least seven months through two separate channels:<\/p>\n