Due to the scarcity of in-depth material on fileless malware, I decided to create a blog that explores these stealthy techniques. Welcome to another insightful post where we dive into the internals of fileless malware.
The Multi-Million Dollar Question: What is Fileless Malware?
Fileless malware is a sneaky type of malware that hides in your computer’s memory instead of being saved on the hard drive.
Unlike traditional malware, fileless malware exploits legitimate software to infiltrate systems. This “fileless” nature makes it more challenging to detect with conventional antivirus tools, as no files are downloaded or stored on the hard drive.
Why Should You Worry About Fileless Malware?
Fileless malware’s ability to reside in a device’s memory rather than the hard drive makes it harder to detect and respond to, leaving a window of opportunity for the malware to take control of legitimate programs.
The Increase in Popularity
In addition, in 5% of the attacks, threat actors used a memory-resident malware. Compared with prior Aqua Nautilus research in 2022, there was a 1,400% increase in fileless attacks. This clearly indicates that threat actors are now focusing more on ways to avoid detection to establish a stronger foothold in the compromised system.
Source: HelpNet Security
Practical Demonstration
Now that we’ve covered the basics of fileless malware, let’s dive into a practical demonstration to understand how code can be executed directly in memory. In this example, we’ll use a Bash script executed via piping, illustrating how fileless techniques can work.
Create a Python HTTP Server:
First, I’ll set up a Python HTTP server to host a directory containing a script called script.sh with the following contents:
echo “Welcome to the fileless malware demonstration!”
echo “<——————————————->”
echo “Listing files in the current directory:”
ls
# Display the current date and time
echo “<——————————————->”
echo “Current date and time:”
date
# Print a goodbye message
echo “Demo complete. Goodbye!”
Use the following command to start a Python HTTP server that will serve the files in the current directory:
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) …
This command serves the files in the current directory at http://localhost:8000.
Demonstrate Fileless Execution:
To demonstrate fileless execution, you can fetch the script directly from the server and pipe it to Bash for execution. This simulates how fileless malware can operate without writing files to disk:
If I list the files in my current directory, you’ll see that script.sh does not appear in the directory, illustrating how fileless malware operates without leaving traces on the disk.
This demonstration illustrates how code can be executed directly in memory, showcasing a fundamental aspect of fileless malware. This method leaves no trace on the disk, making it a preferred technique for attackers looking to evade detection.
When we talk about executing code “in memory,” we refer to running commands or scripts without writing them to the disk. This is achieved using a technique called piping, which allows us to send the output of one command as input to another, all happening in real-time in memory.
How Piping Works
In Linux, a pipe is a unidirectional data channel that serves as a stream-based inter-process communication (IPC) mechanism. It enables processes on the same computer to communicate by temporarily buffering data between them. Here’s how it functions:
Pipe Mechanics:
A pipe connects the output of one process directly to the input of another. It acts as a conduit for data flow between processes without involving the file system.
Pipes are implemented using file descriptors and managed by the operating system, though they exist only in memory and don’t have a presence in the file system like regular files do.
Data Flow:
The data flow through pipes follows a First In, First Out (FIFO) principle, meaning that the first piece of data written into the pipe is the first to be read.
When you use curl to fetch a script and pipe it into bash, the script’s contents are streamed directly into memory. curl pulls the data from the server and writes it to the pipe, which acts as a buffer.
Execution:
The bash command reads from this buffer and executes each command in the script sequentially. This means the script runs entirely in memory, with no intermediary file saved on the disk.
As data is processed, it’s read from the pipe in the order it was written, allowing for seamless execution without leaving traces on the hard drive.
To fully understand how this is done in code, I started my VS Code and wrote the following program:
#include <stdlib.h>
int main() {
// Declaration of buffer
char buffer[1024];
size_t bytesRead;
// Read data from stdin (pipe input) and print it to stdout
while ((bytesRead = fread(buffer, 1, sizeof(buffer), stdin)) > 0) {
fwrite(buffer, 1, bytesRead, stdout);
}
return 0;
}
This program uses a buffer to read chunks of data (up to 1024 bytes at a time) from stdin using fread and writes these chunks to stdout using fwrite. It continues this process until all input data is processed.
Now, we can compile and run this C program:
This command compiles the C program into an executable named piping_example. Next, execute the program while piping the output of curl into it:
This command fetches the script.sh from the server and pipes its content into piping_example, which processes and prints the data to the terminal.
This demonstrates how piping can be used to handle data in memory, without creating temporary files on disk.
Detecting Fileless Malware
Detection of fileless malware can be quite complex. While I’m not an expert in this area, the folks at SandFly Security have done an excellent job addressing this topic. For a detailed guide on detecting fileless malware using command-line forensics and the memfd_create system call, check out their insightful post here: SandFly Security Blog.
Conclusion
In this post, we’ve explored the fundamentals of fileless malware and demonstrated how code can be executed directly in memory using techniques like piping. This approach reveals how fileless malware operates stealthily, leaving no trace on the disk.
In future posts, I’ll delve deeper into another fascinating aspect of memory-based operations: running binary files directly in memory. This will include detailed discussions on how binaries can be loaded, executed, and managed entirely within the memory space, further enhancing our understanding of advanced fileless techniques.
Stay tuned for a comprehensive examination of these memory-based execution strategies and how they can be used or detected.
