Hello, Dave? Meet The First Fileless Malware

Our basic concept of malware is that it is contained in a file, and which is then executed. This file might be in the form of raw code or…
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/

Hello, Dave? Meet The First Fileless Malware

Our basic concept of malware is that it is contained in a file, and which is then executed. This file might be in the form of raw code or an executable file. But, Kaspersky Lab has detected a new type of malware, and it is one that doesn’t have a file. With the GriftHorse, the malware injects encrypted shellcode into the Windows event logs. It then waits for the logs to be processed, and which injects the code into the system.

The shellcode finds the address of the Trojan, and which is contained within the event log. It then does a standard ROR13 hash of the function named “Load”, and loads the name inside the Trojan:

Figure: Shell code [here]

With ROR13 we take each 8-bit character and then convert it to a Unicode value (with 16 bits). We then rotate the bits right by thirteen places:

dword >> 13 | dword << (32 - 13)) & 0xFFFFFFFF

The result is an accumulation of these values (and where we simply sum the values). For “Load” we get value is 0xE124D840. We can test with this Python program [here]:

# Some code extracted from https://github.com/iagox86/nbtool/blob/master/samples/shellcode-win32/hash.py
import sys
def ror(dword, bits):
    return (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
def unicode( string, uppercase=True ):
  result = "";
  if uppercase:
    string = string.upper()
  for c in string:
    result += c + "\x00"
  return result
def hash( module, function, bits=13, print_hash=True ):
  module_hash = 0
  function_hash = 0
  for c in unicode( module + "\x00" ):
    module_hash  = ror( module_hash, bits )
    module_hash += ord( c )
  for c in str( function + "\x00" ):
    function_hash  = ror( function_hash, bits )
    function_hash += ord( c )
  h = module_hash + function_hash & 0xFFFFFFFF
  return h
module="wininet.dll"
function="InternetOpenA"
if (len(sys.argv)>1):
    module=str(sys.argv[1])
if (len(sys.argv)>2):
    function=str(sys.argv[2])
print("Module: ",module)
print("Function: ",function)
print('ROR13 Hash: 0x%X' % hash(module,function))
print('Module ROR13 hash: 0x%X' % hash(module,""))
print('Function ROR13 hash: 0x%X' %  hash("",function))

And use:

python ror13.py test Load
Module:  test
Function:  Load
ROR13 Hash: 0x927810A
Module ROR13 hash: 0x2802A8CA
Function ROR13 hash: 0xE124D840

Within a Windows executable file, we see the magic number of “MZ”. The shell code then invokes another Trojan program, and removes the “MZ” magic number from the file, in order to evade scanners. The Trojan program is run from a hardcoded hash and uses the arguments “dave” and “4”.

Conclusions

And so attacks become more sophisticated, and where malware writers are finding new ways to hide their code.