Malware is as old as computing itself. But as with all cyberthreats, it has evolved to be more effective and efficient. Fileless malware is one of the more pernicious threats to come along. In fact, it was identified as “the most common critical-severity cybersecurity threat to endpoints” for the first half of 2020.
What makes fileless malware so insidious is that it hides in a system’s RAM and effectively turns the computer’s operating system against the user by piggybacking on the tools that are part of their daily workflow. Worse, it thwarts traditional detection tools and methods because it has no identifiable code or signature.
Fileless malware is one of the most challenging threats businesses face today. Understanding what it is, how it works, and how to recognize such an attack is essential to mounting an effective defense.
What is Fileless Malware?
Finding malware exploits can sometimes feel like a game of Whac-A-Mole. No sooner is a malware signature identified, users notified, and patches applied, then a new exploit or a variation of an existing exploit appears.
What complicates things is that malware can also be “fileless.” There is no typical “.exe” binary file with a signature to be identified. Malware has typically used files that it makes resident on a target machine to carry out an attack, but a fileless malware attack does not touch the disk of the target. Instead, a hacker can leverage applications that are already installed on a computer, loading malicious code instructions only into memory.
Imagine opening a document that runs a macro or clicking on a website link to launch a video. That one action could cause, in one example, a malicious PowerShell script to be launched that might delete or damage files or launch the first stage of a more protracted and damaging attack.
The Rise of Fileless Malware
Fileless malware attacks aren’t new. In fact, this sort of malware has been seen for at least 15 years. The Lehigh virus was an example of this technique. The virus was carried in a maliciously altered DOS system file with the malicious code and the payload running in memory. It would run a command-line script to overwrite the boot sector of a machine, preventing the target from booting.
But recently there’s been an alarming rise in fileless malware exploits. Fileless attacks grew by 256 percent over the first half of 2019, and that trend has continued, with fileless malware responsible for 30 percent of all detected Indicators of compromise (IOCs) from January 1st to June 30th, 2020.
Businesses need to take this growing threat seriously because such attacks leave no detectable signature. Thus, they’re an ideal catalyst for advanced persistent threats where unauthorized users slip into a network unnoticed and implement their attack in phases over weeks or months to extract the maximum amount of data.
How Does Fileless Malware Work?
To understand fileless malware, it helps to contrast it with its more conventional form. In a typical malware attack, a user gets fooled into downloading an infected document or clicking a link to a fraudulent website, and a malicious file is written to the computer’s disk. That file can be detected during antivirus scanning, and it will leave a breadcrumb trail in the form of remnant code that you can follow to review its behavior and uncover any damage it may have done.
Fileless malware relies on stealth. Instead of writing a malicious file to disk, it hides in the system’s RAM where it can leverage authorized programs and processes to run its malicious code. Because antivirus tools look for file footprints and don’t scan memory directly, fileless attacks easily evade detection.
Like conventional malware attacks, a typical fileless attack starts with a user action. The user downloads an infected attachment or clicks on a malicious link. From there, an exploit kit scans the computer looking for vulnerabilities to gain entry into the system. Once inside, fileless malware hijacks whitelisted applications and protocols like Java, Microsoft Word, and Adobe Acrobat, or native tools like Windows Management Instrumentation and Microsoft PowerShell. PowerShell attacks are one of the most common, accounting for 89 percent of fileless malware attacks. In one notorious example, Operation Cobalt Kitty, PowerShell was used to target an Asian company for nearly 6 months after a spear-phishing email was used to infect over 40 PCs and servers.
Once fileless malware has compromised one of these trusted tools, the attacker will leverage it to execute malicious code in the infected system. The attacker can then surreptitiously move through the network, compromising and exfiltrating critical data, using these “safe” applications to hide their presence. Once fileless malware gets a foothold in the system, it may try to remain there using persistence mechanisms like hiding malicious code in the system registry or using native tools like Windows Task Scheduler to automatically reinfect the system at predetermined times.
Hackers can employ these attacks to perform a range of malicious activities including encrypting and exfiltrating data and compromising other systems in the environment. The most critical thing to remember about fileless malware, though, is that it leaves no obvious footprint. How then do you discover and stop a fileless attack?
How to Detect Fileless Malware
Because fileless malware attacks target the trusted tools used daily by virtually every enterprise, they are exceedingly difficult to deal with. Effective defense and detection require a combination of old-fashioned prevention and cutting-edge technology.
The best way to handle such attacks is to not allow the malware into your systems in the first place. As with many threats, fileless malware relies in part on unpatched applications and software or hardware vulnerabilities to gain entry. Keeping on top of updates and patches is essential for limiting the number of potential entry points attackers can exploit.
Fileless attackers also use phishing and social engineering to deposit their payloads. That makes cybersecurity awareness training for your staff critical. Emphasizing basic security practices such as visiting only secure websites and training employees to exercise extreme caution when opening email attachments can go a long way toward keeping fileless malware at bay.
But in a threat landscape that changes rapidly, one hundred percent immunity from attacks is impossible. Since signature-, rule, and scan-based detection is useless against fileless malware, looking for anomalous behavior is the best way to ferret out these threats.
Instead of looking for malicious files, behavioral analysis identifies out-of-the-ordinary and suspicious activity. A user accessing databases they never have previously or logging in at unusual hours could indicate compromise due to fileless malware. An endpoint protection platform that uses machine-learning driven behavioral analytics can identify what’s normal behavior for users and applications in real-time and flag suspect activity for further investigation can prevent or limit the damage caused by fileless attacks.
Extended Endpoint Protection
Typical endpoint protection solutions use machine learning to generate models every 4 to 6 months to identify malicious files before they execute. The problem with this approach is that businesses must manage decreasing accuracy over time and deal with false positives.
In simple terms, it would be great that before any application, binary, video, or whatever is executed, a super-fast check could be made to look for a “goodware” or “badware” signature. If there is no signature then, somehow run an automated check, leveraging responsive machine learning to help decide what to do.
Unlike solutions that generate models every 4 to 6 months to identify malicious files, Alert Logic Extended Endpoint Protection automatically gathers thousands of samples a day and uses machine learning to analyze these samples to improve coverage and accuracy.
Customers then transparently receive new models to get the best protection. The end result is fewer false positives because the model has already been trained with the specific software that customers are running.
From the perspective of the end-user, this protection adds 1/5 of a second to the time it takes to open an application. The negligible difference in performance is worth the added protection and probably beats Whac-A-Mole any day.
Alert Logic’s endpoint protection intelligently blocks attacks through a combination of machine-learning and attribute analysis, and real-time behavior analysis and provides deep CPU-level visibility without impacting performance. Our next-generation endpoint coverage dynamically combines machine-learning and behavior indicators to identify and block malicious techniques and malware in real-time.
You can learn more about Alert Logic Extended Endpoint Protection here: https://www.alertlogic.com/why-alert-logic/comprehensive-coverage/extended-endpoint-protection/