Analysis: Downloader with a twist


In this latest analysis, we will stay on the topic of fileless malware. Having dissected the Rozena backdoor in the last article, we have taken a peek into another malware that uses “fileless” techniques. Case in point: a downloader.

Downloaders are the bread and butter of malware authors as they can be used to place almost any payload on a victim’s PC. In most cases this is achieved using a small program that remains hidden on the harddrive. This downloader does things differently, especially regarding the way in which the User Account Control (UAC) is bypassed. The UAC feature in Windows usually ensures that any actions that require elevated privileges are greenlighted by the user. In a nutshell, the downloader writes several registry keys which are then used to run a legitimate process that has “System” privileges and is also under the control of the attacker. Paired with other tried and tested techniques such as obfuscation as well as the (ab)use of standard Windows tools, this makes for a powerful combination. This again goes to show that malware authors go to ever greater lengths to remain undetected, making proactive detection methods more than just marketing buzzwords. They become an absolute necessity. Because where there is no file, there can be no signature. 

More information

If you would like to know more, you can find the detailed analysis in the PDF linked below (will open in a new window).