Fileless Malware – Obfuscating malware using PowerShell scripts
While familiarizing myself with different threat actors in the cybersecurity industry and practicing Anti-Virus evasion techniques, I have come across different news articles mostly about ransomware, however, I am now starting to see an increase in a type of malware family called: Fileless malware. [1, 2, 3]
According to CyberReason, “Fileless malware attacks entail taking default Windows tools, particularly PowerShell and Windows Management Instrumentation (WMI), and using them for malicious activity, like moving laterally to other machines.” 
On a Forbes article, Marcin Kleczynski, CEO of Malwarebytes states that “These attacks are proving to be particularly useful against businesses because the majority of outdated enterprise security solutions are designed to detect file-based malware that resided on the disk, not in memory. Small to midsize businesses (SMBs) have become particularly vulnerable since some lack adequate security and IT staff to understand and protect against these threats.” 
Some of these articles seem to point to a PONEMON INSTITUTE, OCTOBER 2018 publication called the “The 2018 State of Endpoint Security Risk” where they describe the evolution of endpoint attacks showing how file less attacks are on the rise. The publication surveyed 660 IT security professionals responsible for managing and reducing their organization’s endpoint security.
In regards to File less attacks “respondents predict 62% of attacks targeting respondent’s companies in 2019 will be file-based and 38% will be fileless attacks.”  While file-based attacks are proportionally higher, the publication shows an increase of these attacks.
The problem here is not the proportional difference, but rather how difficult it is for currently available security software to detect these attacks as attackers typically use LotL (Living off the Land) tactics to evade anti-virus solutions.
Fortunately, Intel is working on a new series of processors capable of preventing such malware attacks with a new series of processors called “Intel Select Solution for Hardened Security” However, as a writer for Technotification puts it “…if companies want to avoid such attacks in the current time, they need to shift their critical resources to the cloud” 
The above news made me dig a little bit deeper to understand how are these types of attacks are actually done and my digging led me to a very interesting fileless-attack example which I replicated the best I could.
It all started when an administrator found a “strange” event in the Microsoft-Windows-Sysmonservice when checking Event Viewer logs.
The administrator found something similar to this in the details section:
<Data Name=”ParentImage”>C:\Windows\System32\forfiles.exe</Data><Data Name=”ParentCommandLine”>c:\windows\system32\forfiles.EXE /p C:\WINDOWS\system32 /s /c “cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwARQBuAHYAaQByAG8AbgBtAGUAbgB0AFwAJwApAC4AQwBoAG8AYwBvAGwAYQB0AGUAeQBMAGEAcwB0AFAAYQB0AGgAVQBwAGQAYQB0AGUA” /m p*ll.*e</Data>
The event led to a Task Scheduler rule that had properties like this:
What does the above command mean?
I actually found a similar attack explained on YouTube. The researcher showed an example with lots of obfuscated code and I wanted to replicate some of it on my own lab.
I first started by taking apart the commands to try to understand how they worked, which I summarize as follows:
The command uses a file called Forfiles.exe. Forfiles.exe recursively looks inside the system32 folder using p*11.*e as mask until it finds powershell.exe. The @file variable then takes the place of the powershell.exe file and runs an encoded command inside this *base-64 encoded string:
How does the command work?
c:\windows\system32\forfiles.exe /p C:\WINDOWS\system32 /s /c
c:\windows\system32: The system32 directory contains Windows system files and software program files, vital to the operation of the Windows operating system and software programs running in Windows.
/p : Specifies the path from which to start the search. By default, searching starts in the current working directory.
/s: instructs the forfiles command to search into subdirectories recursively.
/c : Runs the specified command on each file. Command strings should be enclosed in quotation marks. The default command is “cmd /c echo @file”.
cmd /c @file -ec
cmd /c : Starts a new instance of the command interpreter, Cmd.exe. If used without parameters, cmd displays the version and copyright information of the operating system. With the /c parameter then command will carry out the command specified and then stops.
@file: A variable name that represents the File name for the forfiles command.
-ec: Short hand for the -EncodedCommand. Accepts a base-64-encoded string version of a command. Use this parameter to submit commands to Windows PowerShell that require complex quotation marks or curly braces. NOTE: There are 15 different iterations to shorthand EncodedCommand which defenders will typically attempt to key off on. One of the most unknown ones is “-ec”
/m <Search Mask> : Searches files according to the specified search mask. The default search mask is *.\*.
p*11.*e: powershell.exe which is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language.
What’s inside the *base64 string?
*please note that I changed the following command to reflect the settings in my lab machine instead of using the encoded command from the YouTube example.
Using https://www.base64decode.net I was able to decode the message above resulting in the following:
The decoded message was the characters below:
i�e�x� �(�g�p� �’�H�K�C�U�:�\�E�n�v�i�r�o�n�m�e�n�t�\�’�)�.�C�h�o�c�o�l�a�t�e�y�L�a�s�t�P�a�t�h�U�p�d�a�t�e�
After removing all the � the following command is displayed:
What does the decoded message do?
This part of the command will run whatever command is after the iex alias. Although in my case, I am simply using the command to retrieve a timestamp in the ChocolateyLastPathUpdate registry. In the YouTube example I discuss above, the attacker used the value of a different registry to obfuscate the malicious code!! (Matryoshka doll-style!)
iex and gp are both part o the Microsoft PowerShell Utility suite and the work as follows:
iex: Invoke-Expression. Runs commands or expressions on the local computer.
gp: Get-ItemProperty. Gets the properties of a specified item.
HKCU:\Environment\’).ChocolateyLastPathUpdate are part of the registry and the work as follows:
HKCU: HKEY_CURRENT_USER. contains configuration information for Windows and software specific to the currently logged in user.
‘HKCU:\Environment’: Where environment variables like PATH and TEMP are found. Changes can be made here or through Windows Explorer, and they’ll be reflected in both places.
ChocolateyLastPathUpdate: Package Manager for windows.
The 18 digit number [ 131974752962431440 ] in the ChocolateyLastPathUpdate it’s a time stamp that translates to a particular time. I decided to use this value simply to see if I could get the above command to work.
How did I encode the above command?
This was the fun part for me! I tried using https://www.base64decode.net to encode iex (gp’HKCU:\Environment\’).ChocolateyLastPathUpdate so that I can have an encoded message to play and got the following: aWV4IChncCdIS0NVOlxFbnZpcm9ubWVudFwnKS5DaG9jb2xhdGV5TGFzdFBhdGhVcGRhdGU=
However, when I tested the command and did not work, so I used PowerShell to encode iex (gp’HKCU:\Environment\’).ChocolateyLastPathUpdate
How did the task make it into the Task Scheduler?
I am currently waiting from the YouTuber’s answer on this, however, I created a PowerShell script using the commands above that can be executed every time a user logs on. I can imagine a situation where this malicious PowerShell script makes it into their regular script batches.
Now all the administrator needs to do is run the script and the malicious code is inside ready to execute!
After the command runs either by manual execution or as soon as the user logs on the malware is executed without triggering any alarms as all the tools used in this attack are tools used for administration purposes and are not blocked by antivirus solutions.
Now just imagine the damage the command would cause if instead of using the 18-digit value to test the command the malicious actor was to add an obfuscated command to exfiltrate data to a command and control server.
What can you do to protect yourself?
A TechRepublicarticle provides the following steps you can take to protect yourself against fileless malware.
1: Restrict unnecessary scripting languages
2: Disable macros and digitally sign trusted macros
3: Monitor security appliance logs for unauthorized traffic
4: Implement endpoint security with active monitoring
5: Perform patch management across all devices