{"id":84916,"date":"2017-10-10T11:09:51","date_gmt":"2017-10-10T05:39:51","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84916"},"modified":"2017-10-10T11:18:46","modified_gmt":"2017-10-10T05:48:46","slug":"fileless-malware-uses-unique-technique-analysis-quick-heal-security-labs","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/fileless-malware-uses-unique-technique-analysis-quick-heal-security-labs\/","title":{"rendered":"A fileless malware uses a unique technique – an analysis by Quick Heal Security Labs"},"content":{"rendered":"

Spam email campaigns have increased with the use of multiple random techniques which improve the efficiency of payload distribution to spread malware to more number of users. These attacks have been randomly observed to have increased rapidly in numbers; similar techniques, observed first time in mid-2014, were used in the distribution of the Poweliks fileless malware<\/strong>.<\/p>\n

Technical analysis of the observed campaign<\/strong><\/p>\n

In this campaign, the attacker uses an XML script and has a Windows Script Component (WSC) to deliver the malicious payload \u2013 this technique has the ability to easily modify obfuscation. A small XML script having a set of instructions is used to download another script file from compromised websites. The attacker uses this XML file because they can easily change the code and deliver a new variant.<\/p>\n

Attack chain sequence<\/strong><\/p>\n

\"unique1\"<\/p>\n

\"Fig
Fig 1. XML script<\/figcaption><\/figure>\n

The set of instructions works as follows<\/p>\n

\"unique3-jpg\"<\/p>\n

Here, rundll32 is used for running the DLL file and placing its library in the memory with the following command line.<\/p>\n

Rundll32.exe <DLL name>, <entry point><\/p>\n

Let\u2019s understand how Rundll32 is successfully able to parse the parameters and the argument. Rundll32 internally parses the command line and searches for the comma (\u2018,\u2019) to locate the DLL name and space to locate the entry point name.<\/p>\n

In the above script code, Rundll32 finds mshtml as dllname and RunHTMLApplication as an entry point. For now \u2018javascript:\u2019 prefix seems to be unwanted. The RunHTMLApplication calls \u2018CreateUrlMoniker\u2019 which parses the command line to find the string before \u2018:\u2019 i.e., JavaScript. \u2018Microsoft HTML\u2019 is the handler for the JavaScript.<\/p>\n

The XML file-delivered script file has the actual malicious payload location and instructions to de-obfuscate malware. Every time, the payload location varies.<\/p>\n

\"Fig
Fig 2. VBS script<\/figcaption><\/figure>\n

The same technique is used by the TrickBot malware<\/a> having macro scripting in Microsoft Office documents which then downloads the actual payload.<\/p>\n

\"Fig
Fig 3. OLE Macro<\/figcaption><\/figure>\n

 <\/p>\n

\"Fig
Fig 4. VBS script<\/figcaption><\/figure>\n

 <\/p>\n

Quick Heal detection<\/strong><\/p>\n

    \n
  1. Quick Heal Virus Protection successfully detects such malicious script files and doc files.<\/li>\n
  2. Quick Heal Browsing Protection blocks malicious URLs as \u2018Harmful\u2019.<\/li>\n
  3. Quick Heal Email Protection successfully blocks such malicious attachments even before they can infect the system<\/li>\n<\/ol>\n

    How to stay away from such threats<\/strong><\/p>\n

      \n
    1. Do not click on links or open attachments receiving in emails from unexpected source or unknown sources.<\/li>\n
    2. Do not click open double extension file such as doc.js, wsf.js, vbs.doc, etc. These could be malicious files which use double extension to trick users.<\/li>\n
    3. Apply all recommended updates on your computer OS, software, and Internet browsers to keep them up-to-date.<\/li>\n
    4. Install software only from genuine and trusted sources only.<\/li>\n
    5. Never enable \u2018macros\u2019 or editing mode if any document asks you to do so.<\/li>\n<\/ol>\n

       <\/p>\n

      Subject Matter Expert<\/strong><\/p>\n

      Prashant Tilekar | Quick Heal Security Labs<\/p>\n

       <\/p>\n

       <\/p>\n","protected":false},"excerpt":{"rendered":"

      Spam email campaigns have increased with the use of multiple random techniques which improve the efficiency of payload distribution to spread malware to more number of users. These attacks have been randomly observed to have increased rapidly in numbers; similar techniques, observed first time in mid-2014, were used in the distribution of the Poweliks fileless […]<\/p>\n","protected":false},"author":29,"featured_media":84924,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,5],"tags":[1485],"class_list":["post-84916","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","category-security","tag-fileless-malware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84916"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84916"}],"version-history":[{"count":4,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84916\/revisions"}],"predecessor-version":[{"id":84927,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84916\/revisions\/84927"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84924"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}