| ID | B0027 |
| Objective(s) | Defense Evasion |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 17 August 2023 |
Malware may install itself in areas other than the hard drive [1]. Other possible locations include the BIOS/Unified Extensible Firmware Interface (UEFI) firmware, which is embedded on a chip on the motherboard, and the graphics processor unit (GPU), where malware is stored in its memory buffer (also known as VRAM) [2][3]. Volatile memory is a third possibility and when installation occurs here, malware is known as “fileless.”
While the definition of fileless malware can be ambiguous, here it represents malware that lives in memory only, not on disk, and it does not preclude fileless malware from using files on the system. Microsoft and Zeltser have addressed this ambiguity by providing more context in [4] and [5], respectively.
| Name | ID | Description |
|---|---|---|
| Fileless Malware | B0027.001 | Stores itself in memory. This method is related to Unprotect technique U1205 and ATT&CK sub-technique Obfuscated Files or Information: Fileless Storage T1027.011. |
| Registry Install | B0027.002 | Stores itself in the Windows registry. |
| Name | Date | Method | Description |
|---|---|---|---|
| Kovter | 2016 | B0027.002 | Kovter stores malware files in the Registry instead of on the hard drive. [1] |
| SYNful Knock | 2015 | B0027.001 | 100 memory-resident modules can be installed. [6] |
[1] https://labs.vipre.com/analysis-of-kovter-a-very-clever-piece-of-malware/#:~:text=Kovter%20copies%20the%20fileless%20persistence,written%20on%20to%20the%20filesystem.
[2] J. Glazova,"CosmicStrand: A UEFI Rootkit," Kaspersky, blog, 26 Jul. 2022. [Online]. Available: https://usa.kaspersky.com/blog/cosmicstrand-uefi-rootkit/26807/.
[3] I. Ilascu,"Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs," bleepingcomputer.com, 31 Aug. 2021. [Online]. Available: https://www.bleepingcomputer.com/news/security/cybercriminal-sells-tool-to-hide-malware-in-amd-nvidia-gpus/.
[4] Contributors: D. Simpson, A. Lobo, A. Jupudi, D. Vangel, and C. Davis,"Fileless threats," learn.microsoft.com, 02 June 2023. [Online]. Available: https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/fileless-threats?view=o365-worldwide.
[5] L. Zeltser,"The History of Fileless Malware – Looking Beyond the Buzzword," zeltser.com, blog, 12 Oct. 2018. [Online]. Available: https://zeltser.com/fileless-malware-beyond-buzzword/.
[6] B. HAU, T. LEE, and J. HOMAN,"SYNful Knock - A Cisco router implant - Part I," Mandiant.com, 15 Sept. 2015. [Online]. Available: https://www.mandiant.com/resources/synful-knock-acis.