1. Home
  2. Techniques
  3. Enterprise
  4. Obfuscated Files or Information
  5. Fileless Storage

Obfuscated Files or Information: Fileless Storage

ID Name
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.003 Steganography
T1027.004 Compile After Delivery
T1027.005 Indicator Removal from Tools
T1027.006 HTML Smuggling
T1027.007 Dynamic API Resolution
T1027.008 Stripped Payloads
T1027.009 Embedded Payloads
T1027.010 Command Obfuscation
T1027.011 Fileless Storage
T1027.012 LNK Icon Smuggling
T1027.013 Encrypted/Encoded File
T1027.014 Polymorphic Code

Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.[1][2] In Linux systems, shared memory directories such as /dev/shm, /run/shm, /var/run, and /var/lock may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.[3][4][5]

Similar to fileless in-memory behaviors such as Reflective Code Loading and Process Injection, fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.[6]

Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of Persistence) and collected data not yet exfiltrated from the victim (e.g., Local Data Staging). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.

Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., %SystemRoot%\System32\Wbem\Repository) or Registry (e.g., %SystemRoot%\System32\Config) physical files.[1]

ID: T1027.011
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows
Contributors: Christopher Peacock; Denise Tan; Mark Wee; Simona David; Vito Alfano, Group-IB; Xavier Rousseau
Version: 2.0
Created: 23 March 2023
Last Modified: 04 October 2024
Version Permalink

Procedure Examples

ID Name Description
G0050 APT32

APT32's backdoor has stored its configuration in a registry key.[7]
S0631 Chaes

Some versions of Chaes stored its instructions (otherwise in a instructions.ini file) in the Registry.[8]

S0023 CHOPSTICK

CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.[9]
S0126 ComRAT

ComRAT has stored encrypted orchestrator code and payloads in the Registry.[10][11]

S0673 DarkWatchman

DarkWatchman can store configuration strings, keylogger, and output of components in the Registry.[12]
S0343 Exaramel for Windows

Exaramel for Windows stores the backdoor's configuration in the Registry in XML format.[13]
S0666 Gelsemium

Gelsemium can store its components in the Registry.[14]
S0531 Grandoreiro

Grandoreiro can store its configuration in the Registry at HKCU\Software\ under frequently changing names including %USERNAME% and ToolTech-RM.[15]
S0256 Mosquito

Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft[dllname].[16]
S0198 NETWIRE

NETWIRE can store its configuration information in the Registry under HKCU:\Software\Netwire.[17]
C0012 Operation CuckooBees

During Operation CuckooBees, the threat actors stroed payloads in Windows CLFS (Common Log File System) transactional logs.[18]
S1145 Pikabot

Some versions of Pikabot build the final PE payload in memory to avoid writing contents to disk on the executing machine.[19]
S0517 Pillowmint

Pillowmint has stored a compressed payload in the Registry key HKLM\SOFTWARE\Microsoft\DRM.[20]
S0501 PipeMon

PipeMon has stored its encrypted payload in the Registry under HKLM\SOFTWARE\Microsoft\Print\Components\.[21]
S0518 PolyglotDuke

PolyglotDuke can store encrypted JSON configuration files in the Registry.[22]
S0650 QakBot

QakBot can store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.[23][24]
S0269 QUADAGENT

QUADAGENT stores a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications within a Registry key (such as HKCU\Office365DCOMCheck) in the HKCU hive.[25]
S0662 RCSession

RCSession can store its obfuscated configuration file in the Registry under HKLM\SOFTWARE\Plus or HKCU\SOFTWARE\Plus.[26][27]
S0511 RegDuke

RegDuke can store its encryption key in the Registry.[22]
S0496 REvil

REvil can save encryption parameters and system information in the Registry.[28][29][30][31][32]
S0596 ShadowPad

ShadowPad maintains a configuration block and virtual file system in the Registry.[33][34]
S0589 Sibot

Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.[35]
S0663 SysUpdate

SysUpdate can store its encoded configuration file within Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.[36]
S0665 ThreatNeedle

ThreatNeedle can save its configuration data as a RC4-encrypted Registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon.[37]
S0668 TinyTurla

TinyTurla can save its configuration parameters in the Registry.[38]
G0010 Turla

Turla has used the Registry to store encrypted and encoded payloads.[39][40]
S0263 TYPEFRAME

TYPEFRAME can install and store encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.[41]
S0022 Uroburos

Uroburos can store configuration information for the kernel driver and kernel driver loader components in an encrypted blob typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds.[42]
S0476 Valak

Valak has the ability to store information regarding the C2 server and downloads in the Registry key HKCU\Software\ApplicationContainer\Appsw64.[43][44][45]
S0180 Volgmer

Volgmer stores an encoded configuration file in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security.[46][47]

Mitigations

ID Mitigation Description
M1047 Audit

Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.

Detection

ID Data Source Data Component Detects
DS0009 Process Process Creation

In Linux systems, monitor for newly executed processes from shared memory directories such as /dev/shm, /run/shm, /var/run, and /var/lock.[3]
DS0024 Windows Registry Windows Registry Key Creation

Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.
DS0005 WMI WMI Creation

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.

References

  1. Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023.
  2. Legezo, D. (2022, May 4). A new secret stash for “fileless” malware. Retrieved March 23, 2023.
  3. Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024.
  4. Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
  5. Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message Queuing Services Applications. Retrieved September 24, 2024.
  6. Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved September 24, 2024.
  7. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  8. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  9. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  10. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  11. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  12. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  13. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  14. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  15. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  16. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  17. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  18. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  19. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  20. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  21. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  22. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  23. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
  24. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  1. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  2. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  3. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  4. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  5. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  6. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  7. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  8. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  9. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  10. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  11. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  12. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  13. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  14. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  15. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  16. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  17. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  18. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  19. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  20. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  21. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  22. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  23. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.