JSLess: A Tale of a Fileless Javascript Memory-Resident Malware

TL;DR

This paper presents JSLess, a novel fileless malware leveraging Javascript and HTML5 features, demonstrating its ability to evade existing detection tools and highlighting the need for improved detection methods.

Contribution

Introduces a new Javascript-based fileless malware prototype that can infect any device supporting Javascript and HTML5, exposing gaps in current detection techniques.

Findings

The malware bypassed all tested static and dynamic detection tools.

Existing detection methods have significant limitations against Javascript-based fileless malware.

The paper discusses potential detection and mitigation strategies.

Abstract

New computing paradigms, modern feature-rich programming languages and off-the-shelf software libraries enabled the development of new sophisticated malware families. Evidence of this phenomena is the recent growth of fileless malware attacks. Fileless malware or memory resident malware is an example of an Advanced Volatile Threat (AVT). In a fileless malware attack, the malware writes itself directly onto the main memory (RAM) of the compromised device without leaving any trace on the compromised device's file system. For this reason, fileless malware presents a difficult challenge for traditional malware detection tools and in particular signature-based detection. Moreover, fileless malware forensics and reverse engineering are nearly impossible using traditional methods. The majority of fileless malware attacks in the wild take advantage of MS PowerShell, however, fileless malware are not limited to MS PowerShell. In this paper, we designed and implemented a fileless malware by taking advantage of new features in Javascript and HTML5. The proposed fileless malware could infect any device that supports Javascript and HTML5. It serves as a proof-of-concept (PoC) to demonstrate the threats of fileless malware in web applications. We used the proposed fileless malware to evaluate existing methods and techniques for malware detection in web applications. We tested the proposed fileless malware with several free and commercial malware detection tools that apply both static and dynamic analysis. The proposed fileless malware bypassed all the anti-malware detection tools included in our study. In our analysis, we discussed the limitations of existing approaches/tools and suggested possible detection and mitigation techniques.