Obfuscated Files or Information: Fileless Storage
Other sub-techniques of Obfuscated Files or Information (14)
Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock` may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024) Similar to fileless in-memory behaviors such as Reflective Code Loading and Process Injection, fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022) Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of Persistence) and collected data not yet exfiltrated from the victim (e.g., Local Data Staging). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\System32\Wbem\Repository`) or Registry (e.g., `%SystemRoot%\System32\Config`) physical files.(Citation: Microsoft Fileless)
Примеры процедур |
|
Название | Описание |
---|---|
DarkWatchman |
DarkWatchman can store configuration strings, keylogger, and output of components in the Registry.(Citation: Prevailion DarkWatchman 2021) |
PolyglotDuke |
PolyglotDuke can store encrypted JSON configuration files in the Registry.(Citation: ESET Dukes October 2019) |
QakBot |
QakBot can store its configuration information in a randomly named subkey under |
TYPEFRAME |
TYPEFRAME can install and store encrypted configuration data under the Registry key |
ComRAT |
ComRAT has stored encrypted orchestrator code and payloads in the Registry.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
ShadowPad |
ShadowPad maintains a configuration block and virtual file system in the Registry.(Citation: Kaspersky ShadowPad Aug 2017)(Citation: TrendMicro EarthLusca 2022) |
Gelsemium |
Gelsemium can store its components in the Registry.(Citation: ESET Gelsemium June 2021) |
Uroburos |
Uroburos can store configuration information for the kernel driver and kernel driver loader components in an encrypted blob typically found at `HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds.`(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) |
SysUpdate |
SysUpdate can store its encoded configuration file within |
Exaramel for Windows |
Exaramel for Windows stores the backdoor's configuration in the Registry in XML format.(Citation: ESET TeleBots Oct 2018) |
Grandoreiro |
Grandoreiro can store its configuration in the Registry at `HKCU\Software\` under frequently changing names including |
NETWIRE |
NETWIRE can store its configuration information in the Registry under `HKCU:\Software\Netwire`.(Citation: Red Canary NETWIRE January 2020) |
Pillowmint |
Pillowmint has stored a compressed payload in the Registry key |
TinyTurla |
TinyTurla can save its configuration parameters in the Registry.(Citation: Talos TinyTurla September 2021) |
CHOPSTICK |
CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.(Citation: FireEye APT28) |
APT32 |
APT32's backdoor has stored its configuration in a registry key.(Citation: ESET OceanLotus Mar 2019) |
Pikabot |
Some versions of Pikabot build the final PE payload in memory to avoid writing contents to disk on the executing machine.(Citation: Elastic Pikabot 2024) |
QUADAGENT |
QUADAGENT stores a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications within a Registry key (such as `HKCU\Office365DCOMCheck`) in the `HKCU` hive.(Citation: Unit 42 QUADAGENT July 2018) |
RegDuke |
RegDuke can store its encryption key in the Registry.(Citation: ESET Dukes October 2019) |
ThreatNeedle |
ThreatNeedle can save its configuration data as a RC4-encrypted Registry key under `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon`.(Citation: Kaspersky ThreatNeedle Feb 2021) |
During Operation CuckooBees, the threat actors stroed payloads in Windows CLFS (Common Log File System) transactional logs.(Citation: Cybereason OperationCuckooBees May 2022) |
|
Valak |
Valak has the ability to store information regarding the C2 server and downloads in the Registry key |
Volgmer |
Volgmer stores an encoded configuration file in |
Chaes |
Some versions of Chaes stored its instructions (otherwise in a `instructions.ini` file) in the Registry.(Citation: Cybereason Chaes Nov 2020) |
Turla |
Turla has used the Registry to store encrypted and encoded payloads.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019) |
RCSession |
RCSession can store its obfuscated configuration file in the Registry under `HKLM\SOFTWARE\Plus` or `HKCU\SOFTWARE\Plus`.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
Sibot |
Sibot has installed a second-stage script in the |
PipeMon |
PipeMon has stored its encrypted payload in the Registry under `HKLM\SOFTWARE\Microsoft\Print\Components\`.(Citation: ESET PipeMon May 2020) |
REvil |
REvil can save encryption parameters and system information in the Registry.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019) |
Mosquito |
Mosquito stores configuration values under the Registry key |
Контрмеры |
|
Контрмера | Описание |
---|---|
Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
Ссылки
- Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
- Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved September 24, 2024.
- Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023.
- Legezo, D. (2022, May 4). A new secret stash for “fileless” malware. Retrieved March 23, 2023.
- Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024.
- Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message Queuing Services Applications. Retrieved September 24, 2024.
- Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
- Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
- Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
- FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
- Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
- Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
- Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
- Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
- Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
- US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
- Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
- Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
- Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
- Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
- Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.