The Art of Fileless Malware

May 7, 2018 by

Pedro Tavares

Introduction

Malware has become a critical trend for companies around the world. We are looking at ransomware and other threats already lurking around the corner. It is right that the ability to innovate in cybercrime cannot be ignored, and the proof of this is fileless malware — a type of malware that can be executed without installing software on a victim's machine. Instead, built-in tools on Windows operating system (OS) are hijacked by cyber attackers and used to execute the attacks.

Fileless attacks are one of the tools of choice for hackers because of the imperceptible way they can infect systems with no trace. Within this scope, security firms reacted by improving their detection capabilities. Nonetheless, cyber attackers remain one step ahead of the defenders, this time shifting the approach to fileless techniques to remain undetectable.

According to Google Trends, by analyzing the last 5 years, in the year of 2017, there was another direction for fileless malware. Indeed, it has become a new trend in the cybercrime landscape.

Figure 1: Fileless Malware trend over the last 5 years.

However, fileless malware attacks are not new as many of the techniques have been around for a while. In-memory exploits, for instance, were prominent in the SQL Slammer worm from the early 2000s. Also, the recent Equifax breach is an example of a fileless attack that used a command injection vulnerability in Apache Struts.

Fileless Malware Anatomy

This threat does not require the download and execution of malicious files, and it is not associated with any particular attack vector. Instead, it can take advantage of zero-day vulnerabilities in operating systems or inject malicious code into memory from an application downloaded from an illegitimate website. Then, this technique takes advantage of default Windows tools, particularly PowerShell and Windows Management Instrumentation (WMI), and uses them for malicious activity. Also, applications that are already installed are used (such as web browsers or Office applications) to mask and spread malicious behavior.

The modus operandi of this threat is simple: use legitimate activity as a form to mask illegitimate activity. These attacks are destructive; they gain remote control over a system, extract data, or combine with other exploits, while erasing their traces, making them invisible to forensic tools.

Fileless malicious attacks can work as presented in Figure 2 below.

Figure 2: General flow of a fileless malware attack.

Impact on the Malware Detection and Analysis

As traditional malware is not used, there is no signature that antiviruses (AV) can detect, which considerably diminishes the effectiveness of endpoint protection solutions that companies have installed. These attacks reside almost completely in memory and use legitimate system administration tools to execute and propagate, making determining what's legitimate PowerShell use and what's attacker activity very challenging. Once fileless threats do not rely on endpoints to maintain connectivity, the attack time and their duration are also unknown, and the system can be rebooted at any time. Its high flexibility ensures that it can associate with others for greater ease of propagation.

The reason why sophisticated and modern cyber attackers have shifted their focus away from popular malware strategies is simple: traditional AVs and antimalware security solutions are not looking for where these malware attacks are going — a physical malicious file is not necessary anymore.

This means that traditional AV suites are increasingly obsoleted in the detection of "this family of computer malware" because they typically operate based on file signatures and behavioral analysis based on files stored on the infected machine.

Protection Steps

Although this new type of malware is undetectable, we will present it in a way that is not literally undetectable. In fact, it appears undetectable when compared to malware iterations that are today making headlines on the Internet. Notice that the steps below are not foolproof but provide a layered and systematic security approach that should minimize the risk of fileless malware attacks in organizations.

In this way, keeping operating systems and application software up-to-date is the first measure to be taken — stopping the vulnerabilities means closing the door to such attacks.

It also turns out to be effective the disabling of tools such as PowerShell or Windows Management Instrumentation, if the organization resigns to dispense them. Additionally, disabling all forms of macro executions is critical, as this prevents unsafe code from running on the system. However, if this is not possible, it may make sense only to allow authorized macros (for example, digitally signed) to ensure that the devices are protected.

Organizations should invest in active monitoring of endpoints, especially in solutions that have a heuristic component which uses behavioral analytics of the system, since in this way it is possible to detect possible deviations from the usual standard.

In sum, implement a security strategy in your organization, regularly check security logs for inordinate amounts of data leaving the network, look for changes in the system's usual behavior patterns when compared against baselines and, and go ahead, update your software regularly.

References

[1] https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless

[2] https://seguranca-informatica.pt/afinal-fuga-dados-da-equifax-um-impacto-ainda-maior

[3] https://www.csoonline.com/article/3227046/malware/what-is-a-fileless-attack-how-hackers-invade-systems-without-installing-software.html

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Get Started

[4] https://www.cybereason.com/blog/fileless-malware