One-Click Fileless Infection

Wednesday 5 October 16:00 - 16:30, Green room

Himanshu Anand (Symantec)
Chastine Menrige (Symantec)

In the last year, there has been growing interest in a technique known as fileless infection, where malware authors compromise computers without writing any files to disk. This technique allows the threat to evade detection from file-scanning software while still remaining persistent.

This paper will explain the different fileless infection methods, as well as a new tactic which can allow attackers to perform fileless infection using a classic one-click fraud attack and non-PE files.

Traditional malware is contained in a file on disk. A registry run key links to this file in order to make the threat persistent. With a fileless infection, the malware does not exist on the compromised computer as a normal file. Instead, it is located in a subkey within the computer's registry as a script, such as Windows PowerShell, VBScript, or JavaScript. The payload in the registry is called every time Windows starts.

The one-click fileless infection technique we've seen uses JavaScript, though different scripts could also work. The infection arrives on the computer through an .hta file, which places the JavaScript payload into a registry subkey. The JavaScript code can be triggered every time Windows starts by calling: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('payload');

The JavaScript code can read and decode encoded data from another subkey. This data injects the payload into memory. Every few minutes, the payload checks for its registry entry. If the entry has been deleted, then the payload recreates it so that the infection remains persistent.

The first widespread threat we saw using the fileless infection technique was Trojan.Poweliks in 2014. Many other trojans followed suit as they evolved: Trojan.Bedep and Trojan.Kovter adopted the same technique after Poweliks.

Based on our research, the most common infection vectors for this technique include the following:

  1. Drive-by downloads / Exploit kits: In August 2014, the Angler EK became the first kit to infect a computer without writing the malware on the disk. Instead, the malware was injected directly into the process running the exploit plug-in. Over time, we have seen more instances of fileless infections using this infection vector.
  2. Downloaders: Through this method, the downloader is written onto disk. Once it gets executed, it will retrieve the final payload and may delete itself. The final payload remains in memory, acting as the fileless infection. 
  3. One-click fraud: One-click fraud, which mostly targets Japanese and Chinese users, tricks a user into clicking a tempting offer. If this works, then a malicious file is downloaded onto the computer without the user's knowledge. The threat displays annoying/obscene pop-ups and asks the user to pay to remove them, in a similar manner to ransomware. A variant of Kovter, which is known for click-fraud, included fileless infection capabilities. While we haven't seen many threats conducting one-click fraud in a fileless manner, sooner or later attackers may engage in this method, as it is PE-free, exploit-free, and harder to detect. This is something that our paper will explore.

Our paper will explain and compare the most common ways in which malware authors use fileless infections today. We will discuss areas where we expect these methods to be used soon.

Click here for more details about the conference.



Himanshu Anand

Himanshu Anand has been working with Symantec since 2013 as a security response engineer with the IPS OPS Team. He is the founding member of Linux User Group-Jaipur (#LUG-Jaipur freenode) and one of the first students of Malware Must Die (MMD). His research areas of interest include exploit writing & analysis, fuzzing, and hardware hacking. In his work with Symantec he deals with providing network base coverage for server-side as well as client-side attacks. He has spoken at numerous engineering colleges and open security conferences.


108x129-Chastine Menrige.jpg

Chastine Menrige

Chastine Menrige has over nine years of experience in threat research. Her previous role at Trend Micro involved mainly malware analysis and investigation of APT attacks. Currently, she is working for Symantec helping to provide network protection for both client- and server-side attacks and is doing research into remote code execution vulnerabilities, exploit kits and malware. In 2013, she spoke at a hacking conference in the Philippines, ROOTCon.