Fileless Attack Vector

  • skeeved's picture
  • Posted on: 13 June 2017
  • By: skeeved

A new malware vector, using a sophisticated fileless method of infecting machines, has been documented by Morphisec.

This new attack is targeting restaurants and begins with a phishing email containing an .rtf file attachment. When the attachment is opened and double-clicked a convoluted series of steps is taken:

  • Javascript code is executed via OLE and copies and assembles additional javascript code in a random directory on the hard drive.
  • A scheduled task is created which will execute the additional javascript code after a delay of one minute, attempting to evade advanced behavioral analysis.
  • The second javascript code creates a PowerShell script in the same directory and deletes itself.
  • The PowerShell script executes a child PowerShell process which executes a second PowerShell process.
  • The second PowerShell process injects shell code into itself.
  • The shell code uses dnsapi.dll to query for a series of A records from the attacker's domain.
  • The data returned from the series of DNS queries is appended to a buffer and eventually decrypted
  • The decrypted buffer is altered by removing the MZ prefix from the code, This prefix may indicate that the code is a DLL and is removed to help hide it from memory scanning tools.
  • The decrypted buffer has been identified as Cobaltstrike Meterpreter, a tool used by many pen testers and malware authors.

This highly sophisticated process shows how the strategies used by malware authors can rapidly change and evolve in order to evade detection.