John Kevin Sanchez , Threat Research Engineer , Trendmicro
Michael Jay Villanueva , Threat Analyst & Researcher , Trendmicro

Cybercriminals always find resourceful and creative ways to gain the upper hand. In our research, we have observed a new trend in some malware today. To be stealthier and efficient, cybercriminals are now using malware that effectively uses fileless techniques to perform their malicious routines. A fileless malware is different from typical malware since it does not necessarily need a file to execute its routines successfully. For persistence, fileless malware are executed directly in the memory of the infected computer, or it resides in the infected computer’s registry. Fileless malware usually do code injection in memory resident processes or it runs scripts in a legitimate application like Powershell to attack a target computer. With the advancing of fileless malware in the scene, cybercriminals are challenging us to be more creative in detection, as well as testing our capabilities in extending our protection to customers. For our prevention methods to be effective, we must completely understand the common and new techniques used by fileless malware to evolve into their fileless state. This paper discusses the evolution of the malware families Kovter and Gamarue, known to be Worms and Trojans, to being fileless. It also discusses similar techniques both malware families share with the more common fileless malware known as Poweliks. Both Kovter and Gamarue also manifested new and interesting behaviors in their fileless approach, utilizing unique techniques that effectively leave fewer footprints. Both malware families though incorporated component files in their malicious routines. These files somehow caused further confusion on the malware researchers in completing the analysis for each malware. Collecting all the necessary components shed us some light on the normal and harmless computer operations these cybercriminals can exploit and piece together to create a seemingly flawless malware flow. Based on all this, we expect that cybercriminals are constantly searching for new methods to be more stealthy and persistent. From the common fileless techniques, we are able to create new policies to protect systems from these emerging fileless threats. Moreover, we are also able to foresee the next steps cybercriminals will take to continue their use of fileless malware.

John Kevin Sanchez John Kevin Sanchez is a Threat Research Engineer for Trend Micro since 2016. He received his bachelor’s degree in Applied Physics from the University of the Philippines Diliman. His daily tasks include creation of malware reports from analysis of malicious samples. He is also capable of analyzing product logs and providing damage cleanup patterns to infected customers. He also contributes write-ups for TrendLabs Security Intelligence blogs. He is an avid sports fan most especially basketball. His favorite athlete of all time is Kobe Bryant. He enjoys playing video games and watching TV series and movies in his spare time.

Michael Jay Villanueva Michael Jay Villanueva started out his career in Trend Micro in 2015. He works as a threat analyst and researcher under the Core Technology team. During his career, he was able to analyze different threats, create malware reports and clean-up patterns for customers. He also contributes write-ups to TrendLabs Security Intelligence blog. Currently, he is focused in handling most of the Japan’s in-depth malware analysis request. He loves to sing and play different musical instruments like guitar and drums where he covers songs during his spare time. He also loves traveling and playing computer games. He holds a degree in Computer Science.