fileless malware

[deroko]

Actually if I remember correctly, a few years back some guys found bug in windows driver, and managed to store whole exploit/shellcode in wrongly parsed registry key (which driver parsed during boot). This could count as fileless persistent code

I don't remember who did it, or how article or poc was named. Was long time ago, if somebody remembers would be awesome to post link

[klvgen]

Quote:

Originally Posted by deroko

Actually if I remember correctly, a few years back some guys found bug in windows driver, and managed to store whole exploit/shellcode in wrongly parsed registry key (which driver parsed during boot). This could count as fileless persistent code

I don't remember who did it, or how article or poc was named. Was long time ago, if somebody remembers would be awesome to post link

The most famous fileless persistance was done by Poweliks, then by Kovter, and then by malware named Phase.

Poweliks: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3377

Kovter: https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update

Phase: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3628