Akamai Diversity

Akamai Security Intelligence
& Threat Research

Detecting file-less malware with file-less detection

File-less malware is malware that exists exclusively as a computer memory-based artifact (i.e., in RAM). It doesn't write any of its activities to the hard drive, so it has no footprint in the file system. According to Carbon Black, this type of attack is on the rise: 97% of their customers were targeted by a file-less malware in 2016. The reason for its proliferation? Quite simply, it works.

Fortunately, there are file-less detection technologies out there. We discuss one in this post.

Our approach
The approach used by Nominum, now part of Akamai, Security Research to detect file-less attacks is through our patented Domain2Vec (D2V) correlation algorithm. Simply put, D2V forms clusters of domains with a high correlation rate, based on domain patterns, query type patterns, and the clients making the queries. To complement this approach, another tool, Domain Reputation System (DRS) is used to correlate every domain with multiple known malicious names, without clustering: maliciousness confidence is propagated when an unknown domain A is correlated with known malicious domains B, C and D.

If a D2V cluster has characteristics related to a known family of malware, D2V flags the entire set of names as part of that malware family. If there is no known malware family that resembles the patterns of a cluster, it will be tagged as 'unknown'; not 'good' or 'bad' - just 'unknown.' Needless to say, to make this algorithm effective in detecting real-world threats, you need to feed it a huge volume of data: billions of queries every day, which we at Nominum do.

The main advantage of Nominum's approach, in this case, is that it's also 'file-less'. Thus, there's no need to identify a malicious file in order to block it, we just need to reach a high level of confidence in the maliciousness of a domain. This makes the time to block these malicious domains much shorter than other approaches.

A Real-world Example
On June 20th of this year, D2V generated a list which included a number of highly correlated domains, including:


Soplifan[.]ru was interesting. In a selected hour during that day, 5,225 unique clients queried it, and it was not flagged by any security vendors. The other domains were tagged by other vendors as generic "call home" malware domains, which means no specific malware family was identified for them. Soplifan[.]ru also shared the same C-block (or part of the IP address sequence) with some additional malicious domains, which, by association, indicted it as 'malicious.'

"Guilt by association" is a necessary approach in today's cybercrime detection. Since attackers and the malware they create to get more sophisticated and their evasion techniques improve, the way to quickly and effectively detect attacks is applying Aesop's 2,500 year-old-moral: "A man is known by the company he keeps." There was very little data mining and even less big data in Aesop's days so he couldn't empirically prove this moral... but today, our data and algorithms confirm his theory, with very few false-positives.

Back to our days: a few days after the initial detection, additional 'generically tagged' domains were found as highly correlated to soplifan[.]ru:


...And another batch of domains appeared on July 18th:


The fact that by July 18th, almost a month after our initial detection of this domain cluster, no security vendor was able to either detect the domains or associate them to a specific malware family made us determine that this was likely a file-less attack. The first time soplifan[.]ru was identified by the major antivirus providers was August 15th, after several security researchers published their analysis around it. Again, since there was no file to analyze, all file-analysis-based approaches failed.

Eventually, the attack that used soplifan[.]ru was a file-less attack, with the end-goal of generating click-fraud traffic, and the entire process of the attack is described here:

  1. Malware arrives on the target system via Auto-start registry key
  2. Autorun key {CLSID} executes powershell to load shell code stored in Classes key
  3. Shell code injects malicious code in Werfault.exe and msiexec.exe
  4. Malware runs in memory and tries connection to "https://soplifan.ru"

The specific malware was identified as JS_POWMET dropper and TROJ_PSINJECT Powershell script. While our detection approach was agnostic to this entire endpoint processes, it was still able to rapidly identify and block the attack, simply by digesting huge amounts of data, streaming them through D2V, and finding 'malicious' correlations.

Leave a comment