Thread: fileless malware
View Single Post
  #1  
Old 02-18-2017, 00:17
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
  
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 971
Rept. Given: 70
Rept. Rcvd 431 Times in 101 Posts
Thanks Given: 83
Thanks Rcvd at 405 Times in 127 Posts
Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499
fileless malware
Hi all
fileless malware are on the rise (see latest Duqu), because thanks to some powershell tricks anyone can write them easily. The learning curve for a fileless malware is now extremely low.
In the past you had to, at least, implement a dll-in-memory loader (I wrote one tutorial about this few years ago, you can find it around "Loading_a_DLL_from_memory_Shub-Nigurrath_v12.rar").

Duqu rise: https://www.schneier.com/blog/archives/2017/02/duqu_malware_te.html

Some frameworks to create similar payloads ...

https://github.com/Genetic-Malware/Ebowla it's a Framework for making Environmental Keyed Payload with reflective DLL, ShellCode, Powershell..
https://github.com/byt3bl33d3r/CrackMapExec its an Opsec safe for pentesting Windows/Active Directory environment ..
https://github.com/n1nj4sec/pupy a RAT written in Python then cross-platform, with a very low footprint
https://github.com/EmpireProject simply a Powershell post-exploitation agent.

Shub
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
The Following 6 Users Say Thank You to Shub-Nigurrath For This Useful Post:
foosaa (02-20-2017), Nacho_dj (02-19-2017), niculaita (02-18-2017), Rigel (02-18-2017), TechLord (02-18-2017), tonyweb (02-18-2017)