Finding a fileless malware with Yara rules

Yara it’s been widely used by malwares researchers because of its simplicity to write the rules and the powerful of the results that it can achieve. It can scan a single directory or even the entire disk partition to search for a match of a rule.

To demonstrate what Yara can do, I wrote this single file pretending to be a malware. We can compile it and generate the file legit_file.exe.

Code of legit_file

If legit_file.exe be stored in any directory in the operating system, we can find it with the following Yara rule:

Executing Yara to use this rule in legit_file.exe we can see the result:

After executing this rule, we can see the match in legit_file.exe because this file contain the two strings of the rule. But executing the file directly in the disk is a practice that has been avoided by some malwares due to be easily detected by the security tools. One of the tricks that malware developers do to try to evade security tools is write the malware directly in the memory. This kind of malware is called fileless malware.

I’m saying “writing directly” because when you execute a program the file is loaded into RAM memory and after that the program gets the data from RAM, but it’s only has permission to get data from the memory region that it allocated.

Let’s suppose that the malware wants to evade detection and instead of execute directly in disk, it delivers another program and this program writes legit_file.exe into memory and after that delete the file of the disk. The code to write a binary file into memory can be seen below and was inspired by this post:

Code of teste

With the file stored only in memory we are unable to scan for it using Yara as we saw previously, but we can dump the memory to analyze the content. There are many softwares to capture memory and in this labs I used WinpMem due to its simplicity, and as the Windows machine used in this labs has just 1GB of RAM, the capture proccess took just 10 seconds.

So, we can use Volatility as usual to analyze the memory dump and we can use the Yara rule wrote previously because Volatility has a plugin that can be used to search for matches of a Yara rule in the captured memory. In the images below we can see the executed command and it result.

Result of the command executed with the Yara rule

Nice! Even stored in memory instead of in the disk we were able to find the malware using Yara with the same rule that was written to detect it in the disk.

It’s important to mention that this was only possible because the proccess teste.exe was running during the memory capture due to the fact that the Yara rules are scanned in the memory dump just among the running proccesses. That’s the reason why I put the while(1) in the line 29 in teste source code.

Security Researcher