By extracting the fileless malware from traffic capture files, an incident responder can collect the necessary information for forensic analysis. However, if the malware is transferred over the network, a full copy of the code may be included in network traffic logs. The purpose of fileless malware is to ensure that a copy of the malware’s code is not left on the file system. Being able to examine the code and configuration information of a malware sample can help to determine the intended functionality of the malware or determine how to interpret command-and-control traffic in order to determine the scope of data exfiltration efforts. The ability to examine malicious code is often a critical step in digital forensics and incident response.
The ability to extract this downloaded malware from packet captures can be invaluable for incident response. Many fileless malware infections are implemented as multi-stage malware, where a Trojan (like a malicious Word document) is used to infiltrate the system and later downloads the malicious code to be injected into a running process. Regardless of the method used to make malware fileless, the important information about the attack is stored in network logs. Reflective DLL injection can accomplish this without saving a file to the filesystem, making the malware harder to analyze. Other options include the use of DLL injection and similar techniques that insert malicious code into a legitimate process.
0 kommentar(er)
