Explore the world of fileless malware in this 42-minute conference talk from Derbycon 7 (2017). Delve into the history, types, and stages of fileless malware infections, including delivery, execution, and persistence mechanisms. Examine interesting execution and persistence techniques, and analyze a real-world TrickBot campaign. Learn about password-protected Word documents, Poweliks delivery and persistence, DNS forwarding, PowerShell usage, and command retrieval. Gain insights into command and control structures, and discover defensive strategies against this evolving cyber threat.
Overview
Syllabus
Intro
Why This Talk?
Fileless Malware - A Brief History
Types of "Fileless" Malware
Stages of A Malware Infection
Malware: Droppers vs. Payloads
Delivery Stage
Execution Stage
Interesting Execution Mechanisms
Persistence Stage
Common Persistence Mechanisms
Interesting Persistence Mechanisms
EXAMPLE TRICKBOT CAMPAIGN
PASSWORD PROTECTED WORD DOC
PAYLOAD - TRICKBOT
Poweliks - Delivery
Poweliks - Persistence
Normal DNS Forwarding
Stage 2 - Persistence for Stage 3?
Stage 2 - Powershell
Stage 4 - Command Retrieval
Command & Control
Stage 4 - Command Output
Fileless Malware - Defense
