Fileless malware makes cyber attacks even more difficult to detect nowadays.Simple signatures are too easy for an intruder to circumvent. Cyber criminals can also program fileless malware to gain persistence after it was written directly to RAM. Fileless malware is not a revolutionary approach, However 2016 certainly saw a dramatic rise in this type of attack as the criminals worked to perfect it. This talk is about triage a system potentially impacted by fileless malware by memory analysis.
9. Malware become smarter
Encrypted Network Communications(c&c)
Persistence (Auto Start)
Privilege Escalation (run as admin)
Data exfiltration
Evades modern antivirus
23. Memory dump
Vmware (Fusion/Workstation/Server/Player) — .vmem = raw memory. (.vmss and .vmsn = contain
memory image) (each snapshot will have its own .vmem file)
Microsoft Hyper-V — .bin = raw memory image
Parallels — .mem = raw memory image
VirtualBox — .sav = partial memory image (Memory file only holds memory actively in use, not the
entire amount of memory assigned to the virtual machine.