File-less Malware: What Is It and How Does It Work?

In this first video, we’re just going to talk about the capabilities and behaviours of file-less malware. File-less malware is malware that leverages binaries already on the system. This is sometimes called non-malware attacks, memory based, or living off the land. And to give you an example of this, you go out to a website with your browser, maybe you’ve got some sort of flash or something like that, somehow your flash gets compromised. And this time, instead of the payload being a file that you download and execute, it’s just going to do something like run PowerShell. PowerShell is a trusted binary that sits on all Windows machines, or the majority of Windows machines.

And it’s going to use that PowerShell to do all types of attacks. It’s going to use it to try and leverage itself to gain our credentials. It’s going to enter into admin. It’s going to try and pivot off the machine to other machines. It’s going to try and get a hold of data and exfil it. PowerShell runs in memory. The PowerShell doesn’t write anything to disc by default, unless it’s specifically told to. So by doing this, they’re on the box. They’re leveraging PowerShell. They’re using it in ways that it wasn’t initially intended to be used for. And then when they’re done, they just drop out of PowerShell and it’s gone.

And the reason why this is so effective is because it’s not malware, there’s no signature. When we looked at all our antivirus engines, they’re mostly signature-based. There’s two things that you can have here. You can have behaviour-based, heuristics-based malware detection, or you can have signature-based. And both of them have pros and cons. But the biggest problem you have with signature-based is if there’s not a signature for it, then it doesn’t detect anything. And they can’t have a signature for trusted binaries like PowerShell or Certutils because that will always be pinging and it just wouldn’t be effective. So there’s no signature for these binaries. Binaries are trusted because they come on the platform by default.

And all in all, this makes it harder to detect if the attacker is going slow, isn’t doing anything too suspicious, then from the detection side, it may just look like, “OK, users are using PowerShell. And they’re doing a numeration or maybe they’re doing some data stuff”. And it depends on how fine-tuned the detection mechanisms are. The stuff can be caught. But the way that it’s usually caught is by looking at a string of events as opposed to each individual event, because each individual event will tend to look benign. It’ll look like it’s OK. When we start putting in a string of events together, that’s when things start to look weird. And what do I mean by that?

A user opens an email, the email has an attachment, it’s a Word attachment. They open the attachment and they run the macro like we’ve talked about. Instead of installing a file now, the macro just runs PowerShell. If you look at all those things individually, they open up an email, they look at a document, they run PowerShell. That’s OK. But when you look at it as a string and it says, they got an email that had a document in it, and that document is what spawned a trial process that is PowerShell. That’s when you start to say, “OK, this is suspicious”. But that’s a lot more difficult to detect.

And so because of that, because this is already in place everywhere, it requires the attacker to get a lot less tools and things lined up. It’s rapidly becoming the most effective and most common attack method that we see by attackers. In the next video, we’re going to talk about GrandCrab. And we’re also going to talk about what GrandCrab was, a little bit, but then I want to show you what some of the open-source products that are out there that are, we’ll say, doing research on these living off the land binary attacks.