Windows 10 security: Here's how we're hitting back at fileless malware, says Microsoft

Microsoft tackles fileless malware derived from Google Project Zero researcher's script.
Written by Liam Tung, Contributing Writer

Microsoft has been working on an answer to some clever new techniques used in penetration-testing kits to bypass Windows Defender Advanced Threat Protection (ATP), its key security platform for protecting Windows 10 in the enterprise.

Microsoft reports that it has detected two instances of fileless malware used to deliver information stealers that run in memory without an executable file being written to disk.

Fileless malware is on the rise, thanks to freely available tools that can be used to improve defenses or launch an attack.

The malware Microsoft spotted relies on techniques from penetration-testing kit Sharpshooter, which generates payloads in multiple Windows formats and can avoid detection by enterprise anti-malware products.

Sharpshooter was released earlier this year by UK pen-testing firm MDSec, which employed techniques from Google Project Zero researcher James Forshaw's tool DotNetToJScript to develop its kit.

"The Sharpshooter technique allows an attacker to use a script to execute a .NET binary directly from memory without ever needing to reside on the disk," explains Andrea Lelli of the Windows Defender Research team.

"This technique provides a framework that can enable attackers to easily repackage the same binary payload within a script."

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Notably, Sharpshooter also contains modules to defeat AMSI, Microsoft's interface for anti-malware products, including Windows Defender, to inspect obfuscated scripts -- such as JavaScript and VBScript -- of the type that were used to deliver the fileless malware that Microsoft says it's caught. Attackers could deliver this malware by tricking a target into running the scripts.

But Lelli says when Sharpshooter was published, Microsoft got ahead of attacks that may use the framework and "implemented a detection algorithm based on runtime activity rather than on the static script", specifically to detect threats derived by Sharpshooter.

"The detection algorithm leverages AMSI support in scripting engines and targets a generic malicious behavior, a fingerprint of the malicious fileless technique," writes Lelli.

"Script engines have the capability to log the APIs called by a script at runtime. This API logging is dynamic and is therefore not hindered by obfuscation: a script can hide its code, but it cannot hide its behavior. The log can then be scanned by antivirus solutions via AMSI when certain dangerous APIs (ie, triggers) are invoked."

In this case, Windows Defender ATP combined with AMSI and was able to detect two malware campaigns in June that used a VBScript based on Sharpshooter to deliver a "very stealthy" .NET executable payload.

The payload downloads the decryption key to unlock the core malware that executes in memory and is not written to disk.

Microsoft believes this attack using real malware was deployed as part of a penetration-testing exercise as opposed to an actual targeted attack.


Microsoft says its Windows Defender ATP detected two Sharpshooter campaigns in June.

Image: Microsoft

Previous and related coverage

Windows 10 security: Microsoft patches critical flaw in Windows Defender

Just scanning a specially-crafted file could lead to a totally compromised Windows machine.

Microsoft: Here's why Windows Defender AV isn't ranked higher in new antivirus tests

Windows Defender trails third-party antivirus in tests, but Microsoft says you should still use it over other products.

Windows 10: Microsoft to boost Linux app security with Windows Defender firewall

Microsoft preps new Windows 10 security features to ensure system integrity during start-up and after it's running.

Windows malware: How to stop your files being wrongly tagged as malicious by Windows Defender ATP

Microsoft details some of the ways Windows Defender ATP analyses files and software.

Windows 10's buggy updates force you to choose between security and stability, says user group TechRepublic

Sysadmins aren't satisfied with the quality of Windows 10 updates.

Windows will rid your computer of deceitful cleaners CNET

Windows Defender will soon delete programs that trick you into paying for a service with alarming messages about the health of your computer.

Editorial standards