Hello, Dave? Meet The First Fileless Malware
Our basic concept of malware is that it is contained in a file, and which is then executed. This file might be in the form of raw code or an executable file. But, Kaspersky Lab has detected a new type of malware, and it is one that doesn’t have a file. With the GriftHorse, the malware injects encrypted shellcode into the Windows event logs. It then waits for the logs to be processed, and which injects the code into the system.
The shellcode finds the address of the Trojan, and which is contained within the event log. It then does a standard ROR13 hash of the function named “Load”, and loads the name inside the Trojan:
With ROR13 we take each 8-bit character and then convert it to a Unicode value (with 16 bits). We then rotate the bits right by thirteen places:
dword >> 13 | dword << (32 - 13)) & 0xFFFFFFFFThe result is an accumulation of these values (and where we simply sum the values). For “Load” we get value is 0xE124D840. We can test with this Python program [here]:
# Some code extracted from https://github.com/iagox86/nbtool/blob/master/samples/shellcode-win32/hash.py
