Fileless Malware: Scanning Endpoint Memory with Genetic Analysis

Update January 2023: For the most recent information about our solutions for endpoint forensics and memory analysis, check out this blog.

I am excited to announce the launch of a new Endpoint Memory Analysis solution, located within the Intezer Analyze platform. The Endpoint Analysis solution consists of a zero-installation scanner that analyzes every single piece of code running in a device’s memory, enabling users to quickly detect advanced in-memory threats such as malicious code injections, packed and fileless malware.

The Endpoint Analysis solution enables organizations to automate the complex process of performing a memory analysis on every single alert. As I will present in this blog, modern endpoint protection products have their challenges. It is not sufficient enough to block malware because malicious code can still be running in a machine’s memory. Organizations must be able to detect advanced in-memory threats such as fileless malware, and the only real alternative up until now was to perform a manual memory analysis on every single alert.

Current Endpoint Memory Challenges

According to a recent endpoint security report published by Cybersecurity Insiders, organizations are faced with the challenges of defending against new and increasingly sophisticated threats, such as fileless malware, advanced attacks and evasive threats. Organizations are reporting an increase in endpoint security risk, while feeling insufficiently prepared to combat new threats with existing endpoint security platforms.

• 49% stated they have insufficient visibility into what is happening on their endpoints, ranging from technical executives to managers and IT security practitioners spanning more than 10 industry verticals.
• 42% of respondents believe they do not have the capacity or expertise to build the solutions needed to respond to increasingly sophisticated threats.
• 36% of participants feel they have good tools and processes in place but are concerned that threats are still slipping through their endpoints.
• 57% of respondents stated that their existing endpoint security products are failing to stop an increasing number of threats.

Filling in the Detection Gaps of Memory Forensics

Many next-gen endpoint protection solutions are focused on guarding the “doors” of a device. These solutions are effective at preventing infected files or scripts from entering and running within an endpoint, searching for patterns such as remote access to memory or specific keys in the registry that will alert on anomalies or suspicious activity.

However, even the most advanced antivirus and endpoint protection solutions can be bypassed, since they are based on anomaly detection and there can still be malicious code running in memory. Removing a malicious file or terminating its running process is not sufficient enough to ensure that a machine is entirely clean.

Even further, malware detection techniques that are solely based on identifying specific behaviors in memory can unintentionally block legitimate software running on the machine. This can have an adverse effect on business continuity, particularly if machines are completely re-formatted, which happens often in these scenarios.

Memory Analysis is Crucial for Detecting Advanced Threats

Memory analysis is critical for detecting in-memory threats such as fileless malware. The Intezer Analyze Endpoint Memory Analysis solution scans the inside of the device, rather than just the “doors”. Scanning every single piece of binary code running in a machine’s memory can detect sophisticated threats like malicious code injections, packed and multi-stage malware.The point is not that endpoint protection solutions are ineffective. Guarding the “doors” has many advantages, including preventing suspicious files or scripts from running. However, there are ways around this. If an attacker wants to inject malware into memory he or she can find a way to do so. Intezer’s Endpoint Analysis solution should not replace current endpoint protection products, but it should be used to analyze suspicious endpoints and leverage the value of being able to identify malicious code in memory.

Automation and Lowering the Skills Barrier for Memory Forensics

Conducting a memory analysis is a manual process. It is incredibly complex, requiring time and advanced skills that almost no organization has available.

What makes Intezer’s Endpoint Analysis solution so unique is that it automates the memory analysis process, quickly (five to ten minutes) identifying all malicious code running in memory, on every single alert. This is valuable for security operations center (SOC) and incident response (IR) functions dealing with a large volume of daily alerts. Automation can save these teams precious time, helping them to prioritize alerts and quickly respond to a greater number of potential threats.

How Does the Endpoint Analysis Solution Work?

• Scan: Upon an alert triggered by your SIEM or proactive decision, the agent-less scanner (currently Windows-based) will automatically scan the suspicious endpoint to collect running code from memory. The scanner collects only executable code, not documents or other data that is not binary code.
  
• Analyze: The collected modules are analyzed using Genetic Analysis technology, sifting through every single piece of binary code running in memory.
• View the Results: Intezer Analyze provides the endpoint analysis report, including:
  • The verdict (whether the endpoint is infected or not)
  • Classification (if infected, what is the threat?)
  • Code and string reuse
  • Process tree of the relevant findings
• Respond: Intezer Analyze provides IOCs and information for responding to the incident, including YARA rules and for every infected module, a file hash and path for remediation.

How Can I Get Started?

Not an Intezer Analyze user? You can learn more about our free community edition here. In addition to file analysis (users can upload 10 samples per day to detect code reuse in trusted and malicious software), community users get a two-week trial of our advanced features for incidnet respons automation, including the ability to scan live endpoints for memory forensics.

Examples
From January through March, Intezer launched a beta program, enabling users to access the Endpoint Analysis solution and to provide their feedback. In this section I will highlight a few of the malicious examples users detected on their endpoints using Genetic Malware Analysis.

Emotet
Emotet is a common banking trojan. In one instance a user detected an injected Emotet module on his or her endpoint. The analysis is shown below:

• Verdict: After running the scan Intezer Analyze detected the endpoint was infected with Emotet.
• Key findings: Located on the left hand side, the analysis report includes a list of key findings identified from scanning the code in the endpoint’s memory.

• Code Reuse and Process Tree: The analysis report identifies code reuse to previously seen malware and a process tree that provides context such as where the malicious code was identified. For example, was the code injected, located within a file or through a replaced module?

Cobalt Strike
The example below demonstrates how a user detected an injected Cobalt Strike, a paid penetration testing product that allows an attacker to deploy an agent on the victim’s machine module in their endpoint.

In the example below, the Endpoint Analysis scanner detected more than one malicious module injected into memory, further supporting the claim that it is not sufficient enough to only remove the malicious process.

---

Try Intezer for free or book a demo to learn more.