Fileless malware example

Personal Plea: As you can appreciate, it is very hard to get noticed on YouTube. I am doing my best to educate other IT people (MSP's, Technicians, engineers, resellers, VARs and hobbiests) so that we can know the tricks and fight back against malware.


The more education out there, the better our lives will be (and data safer).


I am an IT engineer. I am not a vlogger, a picture editor, a graphics artist or audio engineer. I make mistakes and am learning. Youtube is a tricky platform to navigate and to be heard.


I appreciate every subscriber I get but what I really need ... is your feedback, your comments, your suggestions, video ideas and if you like a video, link it on your Facebook, Twitter, Forums, Reddit or other social media. Spread the word. I can only make this channel effective if people know about it.


If you find this helpful, insightful or engaging, let others know. If you hate the format, let me know. every new video is made from advice from the last video.


Thanks everyone. You have all been great !

MichaelJenkin

Thank you for posting this. People like you are helping me learn more about these tactics. After I was hit with a nasty file less malware suite (the hacker surely bought this on the dark web and spent good money on it because it was insanely sophisticated) I had the worst few weeks of my life securing my network, rebuilding it, and then securing my online accounts. This software was robust and even had the ability to remain persistent after a reformat. Later I found out my TP-Link router's FW was hacked. The led lights on the front were set to shut off so I couldn't see that wi-fi was still enabled even if I hit the button to disable it. I'm sure it also hijacked my DNS requests as well.

Another thing it did after infecting my phone was create dummy wi-fi hotspots with the same exact names as the ones I used. I assume they did this to hack my WPA2 private key using some new warped man in the middle attack that works on anything but the latest routers.

I've been building and configuring computers for years. I'm a hardware guy but I'm decent with software. I am no programmer yet I've learned a little over the years and definitely use the command shell to automate a lot of tasks. But I've never known the damage powershell can cause, which is why I am doing everything I can to learn more about it. Powershell does need more security I believe, other than just app-guard and the ridiculous execution policy command that can be bypassed by anyone that can read and type.

slamscaper

Wow, that was intense and informative. Nice detective work Micky

TechDoctorTV

Has anyone else had fileless malware experiences ? This was my first

MichaelJenkin

Great video! I've analyzed a few poweliks/kovter variants. Pretty interesting stuff. Fileless malware seems to have relatively similar indicators in the registry and/or scheduled tasks that were shown in your demo. Would you be able to share the memdump? I'd be interested in reversing it myself.

trich

Interesting. It seems the part described in the video is merely the delivery mechanism that installs the payload into memory and schedules it for execution. Still unclear how the base64-encoded "payload" found its way into the registry in the first place.

JohnFHolliday

Great video. I've never encountered fileless malware, but this video is inspiring. Do you have a link from where I can download this malware? I want to study it with your video's help and write it up.

kad

Was this malware used in an attack? What’s the method of infection? And do you have a link to a report if it was used in an attack?

SideRocketeer

I would argue to the media that %SystemRoot%\System32\Config and ntuser.dat are files at the end of the day. I think the name fileless malware is a little too hyped lol!

Anon-tjqb