Fileless Malware: The Attack That Lives in Memory

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we'll get into something, uh, that I'll be honest,

pushed the edges of my knowledge We're talking about fless malware, the kind

of attack that never touches your hard drive lives entirely in memory and can

steal your credentials before antivirus.

Even knows that it's there.

Uh, we've of course got our, my co-author, Dr. Mike Sailor with me,

and he breaks it down in a way that, that I think helps make it sense.

But more importantly, the at, at the end of the episode, we get

into some real things that you can do to protect yourself, not only

from this threat, but many others.

And I think of particular interest as a discussion we

have on, uh, Mike's view of MFA.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr. Backup.

And I've been passionate about backup and recovery for over 30 years.

Ever since.

I had to tell my boss there were no backups of the production

database that we just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated backup admins into cyber recovery heroes.

This is to back up, wrap up.

Welcome to the backup wrap up.

I'm your host, w Curtis Preston, AKA, Mr. Backup, and I have with me a guide that

is, I think, just as excited as I am, that I got rid of a problematic tenant.

Yes, I am excited.

Well, I'm also kind of sad, but it's okay.

I hope you have less stress over the next many, many months,

Curtis, and I hope that, uh,

Yeah.

you enjoy having the house

Yeah.

Uh, it, it's been something we started doing, you know,

for those that don't know.

About a few years ago we've been experimenting with

renting rooms out and, uh.

Let's just say not all of the tenants are the same.

And, uh, there was a very problematic tenant and I am now problematic

tenant free as of two days ago.

And, uh, like I said, you were, you were my problematic tenant advisor

I think during this, uh, as usual,

to be your advisor for many

things.

Yes.

All right.

Speaking of problematic tenets, we also have Dr. Mike Sailor on with us, my

co-author of our book, learning Ransomware Response and Recovery, which if you're

watching us on YouTube by the same channel name, you can see me pointing up at it,

uh, that, that just started shipping.

Are you excited, Mike?

I am so excited.

You know you're gonna, you're gonna get, uh, you're gonna get one day, but it's

gonna show up in our hot little hands.

I'm very excited about that.

Hmm.

I expect a signed copy from you, sir.

Yeah.

We'll have to exchange copies

then.

'cause I, I would love to do

yeah, yeah.

Uh, maybe I'll just show up at your house or something.

Hmm.

Come

on,

get

bring your boots,

get some barbecue.

put you to work.

Yeah.

Yeah.

All right.

Yeah, so for, for those that don't know, Mike and I have never met in person.

Just, uh, you know, virtually like this in the Matrix.

So, um, so today, Mike, I'm gonna be very blunt.

A lot of times I, you know, I, I play the dumb guy in the room and I, I just

ask dumb questions, but I actually know what the answer is in this episode.

Uh, I am definitely

Don't take my job.

Wait, what was that persona?

Don't take my job.

yeah.

Usually you're playing the guy, the dumb guy in the room on

our, our typical recordings.

But in this episode, uh, I think both of us are playing the dumb guy in the room.

But the, but in this case, this is this thing that we're gonna talk about

today, I think is very interesting.

But it definitely, I'm, I'm gonna say a couple things about it.

One is it's definitely way out there on the edge of my, my understanding.

And two, I think this is one of those things where.

You should listen to some of the other episodes first, right?

Some of the things, you know, solve those things first.

But this is something I do think you should be aware of, but when we, when we

get to the, to the, um, do you call it?

Um.

Um, the, the action items, the action items, I, I would say, are a little

bit more advanced than the typical action items that we talk about.

And so it's a bit like, you know, don't start talking about investing in a 401k.

You don't have like a, a, um.

An emergency fund.

Right.

That, that's, it's sort of like that.

So this is sort of the 401k part.

But anyway, we are talking today about something called violist malware.

Do you wanna explain that to, to the mere mortals in the room?

Sure.

So malware, traditionally, and,

and, and, you know, malware short for malicious software, software being

indicative of something that you would download and install on your computer.

And tools, security tools that are out there today to, to try and detect

and prevent that, uh, fundamentally look for things that are written to

the, the hard drive on a computer.

So if I download it, it, it traverses memory, but then as I, depending on,

on what it is, as I interact with that, it's, it's installed or written to or

saved to hard drive in your computer.

And so, uh, one of the efforts of bad guys to try and, uh, maintain some success

at infecting computers, and it, it, it is limited to certain types of attacks.

Uh, so instead of downloading something to be written to the, to

the hard drive in your computer, it's downloaded and is simply resident

in the memory of the computer.

Uh, and it, there are some tactics too.

Uh, 'cause if, if you think about it, uh, similar to my memory, when

I go to sleep at night, it, you get, you know, completely erased.

Uh, I wake up fresh the next day.

Well, computers are very similar when you turn it off and it's truly powered off.

Um, that memory also called volatile memory.

Uh, which requires power to maintain its content goes away.

Uh, so I've got malware and memory and I turn my computer off and restart it.

It shouldn't be there anymore.

Uh, but bad guys have have figured that out.

Uh, and so what they'll do is instead of writing hardware to, uh,

writing software to your hardware, uh, they will make modifications to

the way your operating system works.

So that if you think I'll just turn it off and erase all that bad stuff and turn

it back on when, when it comes back on, uh, what they've written to the operating

system, reinfect your memory, uh, and they're able to continue that attack.

Mike.

This is fascinating 'cause I don't think most people think about this.

The second use case you talked about though, modifying the operating system.

I know I've heard in the past where, uh, malware actors, uh,

infect the UEFI boot on for like a window system that's sort of like.

Things that happen before the operating system comes up, it's

not technically written to disc.

Are those the sort of things you're talking about in terms of modifying

the operating system in order to sort of provide that persistence without

necessarily writing to a hard disc or SSD.

Sort of, uh, but, uh, some of what you described, the UFE,

the UA, the UEFI also called the baseboard management controller.

Um.

Those are, you have to be in, you have to be on the same network, like physical

network and, and or even physically connected for those types of attacks.

But definitely possible.

Uh, what,

what most bad guys are doing with the fless memory stuff is it's, uh,

you know, embedded in an email or,

uh, embedded in a, a website.

Um, and so.

A lot of that content, like if you, if you open a, an email that's got

a lot of rich content like HTML, those graphics are stored in memory

while you're viewing that file.

When you go to that website and there's animation or a lot of content,

a lot of that is stored in memory.

Uh, to make the best, you know, your best.

Uh.

Uh, interaction with whatever, you know, that that artwork or, or website is.

Um, and so that's what they're taking advantage of.

What is it that's being written to memory during these different types

of activities that I can hide malware in that isn't gonna be detected by

traditional antivirus anti M malware software that's looking for stuff

getting written to the disc now today.

some of the newer computers have these, you know, TPM modules and

different hardware that looks for rogue addressing in memory.

Rogue Read writes in memory.

Um, and so it's getting better and I think we're evolving into, you know, some

capabilities to, to mitigate that threat.

But for the most part, you know, people are, are still

being victimized by this fless

Do you wanna talk about the arc, GIS, um, attack and how

this falls under that, um, idea?

Sure.

And, and you know, in, in another episode, we, we, we covered living off the land,

uh, type of attacks and similarly, uh, memory resident or file this, uh, malware.

It isn't talked about as much as part of an overall attack

because it was just a piece of it.

And very often you'll get the file is malware component that then evolves

into living off the land or vice versa, or even combined at the same time.

And so, uh, you know, living off the land, we, we had talked about

PowerShell as being one of those, uh, very frequently used tools.

Same happens in, in, uh, fileless.

attacks, you know, we compromise memory.

Uh, a lot of times memory is where credentials are stored.

Uh, if I'm logged in as admin, especially if it's across a session, uh, RDP or

or, or in a web session, a lot of that's stored in memory and I can utilize

that then to run services with those credentials, um, or simply run, um.

Run malware and memory to harvest those credentials.

And so very often, the file memory, the fileless, uh, uh, malware is very

focused on credentials and how can I use session, uh, and credential type,

um, uh, information to conduct more.

I guess in some cases, living off the land would be an evolution or

simply, uh, you know, remote access.

You know, those, those, uh, initial access brokers, that's all they're

after is credentials and so they'll.

they'll.

infect a website, uh, and, and do like a waterhole attack and, and get a bunch

of people to go to this website and then just harvest all those credentials.

Um, but in particular attacks.

Um, and, and there's, there's tons of examples of, of this, uh,

where it's, it's a, uh, it's a spectrum of of, of attack types.

You know, is it just credentials and persistence or is it That evolves into

something a lot more complex and, and broad sweeping across a whole enterprise.

Um, and one of the

things that I mentioned a second ago is, you know, I can, I can infect

a machine and in order to maintain persistence, I'm the, one of the first

things I'll do is modify the registry.

Uh, and there's, there's a couple of different keys in the registry

for startup and, uh, initialization.

And I will just inject myself into that in a. Kind of a nondescript way so

that you, you know, it doesn't say, you know, reinfect this computer on startup.

It says something, you know, you wouldn't necessarily recognize.

Um, or it looks, it looks like something that might need to be there, so that

when you reboot that computer, uh, it, it reinfect, you know, it, um, uh, I maintain

that persistence even after reboot.

I know that

yes, sir.

in the, in the case of the Arc GIS attack, it looks like

they, they modified the actual.

Base software, right.

That, that the tool did.

So that anytime they would reload, they, anytime they reboot the server, they would

restart that software and that would then, um, implement their, their hack, whatever,

whatever it was that they were doing.

And they were in there for two years.

Yeah, there's a lot of trip wires and, and contingencies

that bad guys will, will employ.

And sometimes you don't know what those are, uh, until you, you trip over one.

And so we see this a lot in, in forensics.

Uh, where bad guys have stuff on their computer and it, and it's completely

fine in its current state, but once you, once you reboot the computer

or you start it up in safe mode or whatever it is, uh, their malware is

looking for those types of activities.

And then it triggers some, know, uh, you know, backdoor,

booby, trap, what have you.

And so in, in the case that you had mentioned, what bad guys

did was they, um, they created some persistence by rewriting.

Uh, the operating system on the disc during a reboot.

Uh, so they're in memory, they modify the startup file and, you know, there's

any number of, um, references to startup files, whether it's registry or uh, or

some initialization file, whatever it is.

Um, and so on, on reboot.

It then writes like a ton of things do.

As soon as you tell a machine to shut down, it does nothing but write stuff.

And so it's hiding.

Its its activities in the, in the trash, right?

You kind of like when, when, uh, the Millennium Falcon let go of the destroyer

before they went to Lightspeed, they, they let all their trash go and they

just un docked with all the trash.

Well, very similarly, uh, file this memory.

Bad guys realize what's going on.

And so even, fileless malware resident in memory can force.

An over utilization of resources to make you think, oh, my com my, I bet my

computer will work better after I reboot.

And so the, the malware now goes, all right, I see the, the, the

initialization command for reboot.

I'm gonna start writing stuff to the drive while everything

else is, and when it reboots.

I've actually got stuff now on the drive that can run.

And be more effective than just me in memory.

But at the same time, when it reboots, I'll be back in memory.

Also, one in your case, uh, Curtis, uh, they rewrote the operating

system so that they were like hardcoded embedded in that malware.

You would've had to have completely reformatted and rebuilt that

machine from scratch to get rid of

Yeah, which is what they ended up doing.

They had to like re-image all the systems.

By the way.

Great Star, star Wars reference, uh, bringing Star Wars into, uh, ransomware.

So you're talking about fileless malware.

Does that imply though that it is limited in reach to just a single machine,

that its world is that single machine?

I know you talked about maybe a bad actor might have multiple people go visit the

same website, like the watering hole example, but really kind of like what it's

doing is limited in scope to that machine.

It's not necessarily spreading across to other machines and that sort

of thing, or is that not the case?

Well, truly, uh, memory only resident malware would only affect the machine

that it, that, um, that's hosting it.

Um.

But very rarely does it stay in memory.

Uh, that's just, it's, it's

springboard, it's jumping off

point and that's it.

That's the silent, you know, stealthy phase one recon, um,

foothold, um, part of the attack.

Uh, it can escalate very quickly and, and once it's figured out what it

needs to do next, uh, whether that's infect the rest of this computer or

realizing it has access to a bunch of stuff, which is memory resident.

So when you, when you log into a network and you've got a bunch of

network shares, all that, all those authentication tokens come through memory.

Mm-hmm.

malware can go, oh, I know you've got a C drive, an S drive.

A U drive, right?

And so it realizes all that stuff, and when it's ready, it'll deploy and,

and become more active, uh, across a physical, more of the physical,

uh, parts of the environment.

You, you know, you got, you, you, you put the phrase silent, but

deadly in my, uh, in my brain.

Uh, because inside I'm still five.

Um, all right, let's talk, let's talk a little bit about what we can do and, and

when we were looking at this particular episode, this is why I started, um, saying

that I, I, I think the first one here on our list is one that we talk a lot

about, and that is MFA and specifically, uh, doing, um, phishing resistant, MFA.

Do you wanna talk what that is?

Uh,

well, I have a, I have a, I have an inherent, uh, uh, bias with,

with MFA, not because the, uh.

I think technically MFA is good, um, but realistically it's, it's

rarely implemented effectively.

In other words, you know, a company can turn MFA on, but then they

let people store their passwords and their credentials in the

browser, or let this computer be trusted so I don't have to do MFA.

Again, MFA only works if you do it every

Mm-hmm.

It's only effective if you do it every time.

And bad guys know that we we're lazy, so we'll save stuff.

Well now when malware comes into our environment, one of the first

places it looks is our web cache.

Like what have you stored?

And if I can, and I'm glad you, I'm glad you've developed the, the discipline of

using dedicated browsers for your banking.

Because what bad guys will do is they'll, they'll have an infected website and

just by going there, it harvests all the current session tokens from all

of your other tabs that you have open.

Uh, and so now if, if I can do that and, and and be quick about it, I could

potentially hijack a session you've got open with, you know, Google or your

bank or, um, whatever else, office 365.

Um, if I've got a, an MFA token outta your browser, I can quickly

hijack that session and potentially, you know, uh, authenticate without

any bells and whistles going off.

So are you saying then, Mike, that the best form of security is

to write post-it notes with your passwords and keep 'em on your desk?

No, no, I, I'm saying that you need, you need to find what works for you

from a security perspective that allows you to do whatever that is every time.

You know, we, I was the CIO for a financial institution and we implemented

biometrics and as you use the biometrics, it incorporated both the bios, the

BitLocker encryption, and your office 365.

Well, the workforce would not support that.

They hated biometrics and they, they intentionally made a,

a political issue out of it.

And we had, we ended up having to give the, the executive over

that team the 28 character.

BitLocker key for all those laptops because it didn't fit the culture.

And from a, from an audit compliance governance perspective, you wanna

make sure that the controls that you implement are designed well.

'cause if they're not, people are gonna circumvent them and

they, they're just not effective.

Uh, the, the analogy I use a lot is, uh, Texas a and m University,

whenever they build a new building.

They don't pave the sidewalks, they let people walk through the

grass for a period of time, and that's where they put the sidewalk.

So that's a good control design.

So from a security perspective, whether that's MFA or passwords or whatever

it is, figure out what's gonna work best for you and that, you know,

complies with minimum requirements from an organization or whatever.

Using the same password everywhere is bad.

Um, writing it down's bad, saving, it's bad trusting a computer's bad.

So what is it that I can do that isn't bad that I'm okay doing every time?

You just gotta figure that out.

And so, uh, your, your response, your initial response was interesting.

And so obviously you're not saying MFA bad, you're just saying per perhaps

maybe a lot of implementations of MFA are bad, but also, and I I think you

would agree that, that paske would be better, but MFA it it, but I, I don't

think you're saying don't do MFA.

Uh, like, you know, this is a good, better, best thing, right?

So don't do passwords without MFA.

Please don't do that.

Right?

So if you have to use passwords, you're gonna use MFA.

But what, I don't wanna put words in your mouth, but let me, let me see

if I can tell me if I, if I'm right.

And that is, you know, obviously don't do passwords that matter without

MFA and don't do MFA in a way that, like, I, I liked your, your way of

the, this idea of not allowing people to save those things in a way that.

Would allow that, that session to be hacked, uh, and try to get to a

place where MFA is no longer relevant.

Try to get to a place where we're doing a, a Fido compliant passkey.

How did I do?

I think you did really well.

And one of the things I want to add to that is the, the value of MFA.

I think a lot of people think MFA is just designed to keep bad people out.

MFA is also designed to let you know when bad people are trying to get in,

Mm-hmm.

So you get an email that goes, here's your code.

Like, I didn't ask for a code.

Well, maybe now I need to go change my password.

Because if they were able to get to the code part, they already know my password.

Right.

So it's also an indication that someone other than you might be

trying to access your accounts

I got a request I,

just click accept.

a Venmo code today, by the way.

Oh, right on.

Well, so if you, if you save your MFA, if you trust that machine,

then you won't know when somebody is trying to access your account.

So MFA.

So passwords.

Passwords are just a, a delay.

Bad guys can get your account if it only has a password on it over over time.

You know, it's not today, it's probably not tomorrow, it could be

next year, especially if you use the same password across multiple accounts.

But if you use MFA on top of a password, you're at least

making it more difficult, right?

So in the real world, uh.

Do you just have a lock on your handle or do you also have a deadbolt?

Right, so the multifactor part of that is having more than one thing that

people need to authenticate to an account and the multifactor authentication

part of that would be every time.

So when you leave your house, do you just lock the the handle or do you also

lock the deadbolt every time?

Curtis Locks, neither

Actually, you know what?

doors locked themselves.

you know what I like your, some would say kinetic example.

Um, my new word, by the way, my, I have smart locks.

My smart locks are for me.

And what they do is they lock five minutes.

They lock every five minutes whether I'm inside the house or outside the house.

So if I forget to lock them, they just lock.

Um, anyway, uh, so in interest of time, I wanna move on to this.

Again, this is a maturity level.

One of the, one of the first things, once we get all these base things

outta the way, it's time to tar start talking about EDR or XDR.

Do you want to talk about what that is and why?

Why I might wanna put it in and the kinds of things I might want

to think about if I'm doing that,

So EDR today is an evolution of just, you know, our old antivirus, anti-malware.

Um, and it's designed to.

by the way, uh, endpoint

endpoint detection

response.

So anti-malware historically is really good at saying that that looks bad

and I'm not gonna let it do anything.

So we just quarantine it and then you would have to go into the console and

look at all the stuff that's quarantined and decide, uh, I, I need that, or

I don't, uh, you know, delete it or make sure this doesn't happen again.

And that was typically on a. On one machine to one machine basis.

And then over time, they figured out a way to network all that together so

that the people in it or the people that care can log into just one screen

and see everybody's, uh, you know, the status of everybody's, uh, antivirus,

anti malware, uh, but very rarely was it capable of, of taking action on its own.

Right?

So, aside from quarantining, it didn't rewrite rules or policy,

uh, it didn't think ahead.

Uh, it didn't correlate events across different devices to say, well, I think

it started on Bob's computer and then it ended up on Sally's computer and,

you know, it changed something, but I think it's the same attack and it

came from the same place and just not very good analytics and correlation.

So EDR is an evolution of that.

Uh, so with EDR and especially some of the newer ones that have some AI

embedded in it, uh, it can take, um.

You know, informed or intelligent action.

Uh, so in addition to saying, you know, user on this computer did something

stupid or something weird got installed and it's doing something stupid, so

now I can con, I can quarantine or isolate the device, the whole device

from the network or just the file or just its activity or just the user.

And if I've got it configured right.

And I think the user's compromised.

My EDR can now reach out to active directory on my network and suspend

that user account from doing anything anywhere else in my environment.

So whether that's Office 365 or uh, remote access, or whatever the case may be.

And then the other important part about

uh, EDR tools today is their ability to integrate into much broader

cybersecurity tools like XDR.

So extended detection response.

Is XDR and so on the ED on the EDR level, I can only see what's going

on on my computers and my servers.

So I don't see network traffic, I don't see firewall, I don't

see anything in the cloud.

So you need an XDR tool that collects what we would consult the anything on the

inside of a network we call, uh, east West traffic and anything coming in and out of

the network we call North South traffic.

So EDR is good at East, west XDR on its own is good.

At north South, you really need both to get the whole north, south,

north, south, east, west traffic.

So you've got a better picture of what came in your environment, what's going

out of your environment, what's happening inside your environment, and with those

tools collectively now, if an endpoint gets compromised inside your network.

I can look in, I can look at the firewall.

Where'd it go?

Where's it, who's it talking to?

Can I block that IP address?

Can I write rules on the firewall?

Can I isolate the machine?

Can I suspend the user?

Can I look across the entire environment and all my email and all the attachments

and figure out what's going on here and how can I prevent this from spreading?

It's, it's a pretty huge, uh, capability, um, uh, with the

tools that are out there today.

And that would also cover fileless malware.

It would, so it's, uh, more recent EDR tools.

Look at memory resident.

And so there's agents on each computer.

Uh, we use Huntress as an example.

Uh, and Huntress is amazing at doing.

Uh, volatile memory analysis, uh, behavior analysis.

Um, it sandboxes things.

So the, for the couple of microseconds after you install something, it goes,

lemme see how you're gonna behave.

even though some malware today will behave nicely at first, um, it

continues to do a pretty good job.

And then it's integration with all these other tools as far

as the ability to respond and remediates, uh, pretty impressive.

Yeah, I, you know, when I was, um, hang on, I went the wrong way.

I was getting ready for the book.

I got this little thing right.

I'm,

What is it, say Curtis, or people who are

a afternoon read.

As you can see,

The heart of memory forensics.

Yep.

it's a. It's, it's 800 pages, I'm just saying.

Anyway, uh, yeah, memory forensics, you know, definitely an advanced topic.

I like this idea of, of having a tool that can.

They can do, uh, some of that work for you.

Um, all right, so the, I I like the idea, you know, we talked once again reiterated

the idea of putting more barriers in the way of, um, if someone steals your

credentials, more barriers in the way of, of them being able to use those.

I like this idea.

Uh, again, you, you, you, you said more than once, you said this idea of

not saving the things that you know.

You know, and, and you shouldn't do it as a person, but it sounds like in a, in

a corporate environment, you should be setting up so that they're not able to

save that for the credentials that matter.

Uh

Yeah, don't, don't put the key under the rock by the front door.

oh.

Okay.

Do people still do that?

Hang on, I'll be right back.

All right.

Well, thank you.

Thank you, Mike.

Uh, like I said, I, I definitely felt like the dumb guy in the room in this one,

but, um, uh, I think the, I think the.

The recommendations at the end will work for pretty much a, a lot of

these things that we talk about.

Um, you know, uh, put those barriers in, in the way.

And, um, and then also when you get to that, when you get, when you're

ready to take things to the next step, it's time for an E-D-R-X-D-R tool.

All right.

Thank you very much, Mike.

Anytime.

right.

And thanks, Prasanna.

How you doing?

Hello.

All right, everyone.

Thanks for listening.

That is a wrap.