Fileless malware that can evade traditional anti-virus programs means organizations must employ additional measures to monitor and secure their networks.
From crypto-ransomware and destructive malware to advanced persistent threats that exploit zero-day vulnerabilities, the malware threat landscape is ever-evolving.
Today, cybercriminals are adopting anti-forensic techniques originally developed by nation-states engaged in cyberwarfare and attacks on critical infrastructure networks. An emerging tactic they are increasingly adding to their repertoire to evade defenses is known as fileless malware.
Unfortunately, most of today’s solutions built to detect malware were designed to look at traditional file-based malware, leaving many organizations ill-prepared for this rapidly growing threat.
A Shift in Attack Methods
This year, the number of attacks and breach notifications identified as being caused by fileless malware has sharply increased. According to a recent Ponemon Institute report, fileless malware attacks are estimated to account for 35 percent of all attacks in 2018, as they’re almost 10 times more likely to succeed than file-based attacks.
Further, in ISACA’s report, “State of Cybersecurity 2018,” the organization reported an overall decrease in the number of reported ransomware attacks, but an increase in fileless attacks aimed at installing cryptocurrency mining malware.
Finally, banks and financial institutions are frequent targets of fileless attacks. A report recently released by Carbon Black found that fileless attacks now account for more than 50 percent of successful breaches of financial institutions.
So, what exactly is fileless malware, what is behind its sudden growth and how can organizations detect this threat before it does harm? Fileless malware is also known as “memory-based” malware because its malicious functionality does not reside in a file on an infected host. Rather, it usually injects code into a host’s random-access memory (RAM) and/or registry. Once injected, the code employs clever scripting to use a host’s native functionality for further exploits. This method of using an infected device’s native system functionality, a host’s legitimate applications or an organization’s IT administrative toolset for malicious purposes is called “living off the land.”
These attacks that live off the land are extremely stealthy since they don’t write any new files to the disk, making the malicious code effectively invisible to antivirus programs. Rather, these fileless attacks employ functionality that is whitelisted by an organization’s security technologies.
For example, system administrators use PowerShell, a functionality native to Windows operating systems, for a variety of legitimate tasks. Traditional detection methods may not flag fileless malware that resides in a computer’s RAM and uses PowerShell. Being fileless, of course, there is also no signature associated with the malware, which makes traditional signature-based detection unreliable.
Fileless malware is somewhat anti-forensic because it leaves no detectable trace of itself (i.e., a file) beyond its stealthy use of native functionality and whitelisted technology. On the other hand, this does present a risk to threat actors: If an infected machine is turned off, the fileless malware will generally cease to function. However, security experts have begun to observe some strains that employ a script in Windows Registry that reinstates the malicious code once an infected device reboots.
Unlike the extremely targeted exploits for specific industrial control system firmware, which offer threat actors limited use, fileless malware is a flexible, adaptable tool. Many strains are designed to be effective in most enterprise IT environments that run Windows or Linux systems, for instance. Given its tendency to appear differently in every environment, fileless malware is among the most efficient types of polymorphic malware.
Fileless malware often includes custom scripting for multi-stage hacks. For instance, fileless malware code might enable the distinct tasks of escalating administrative privileges, establishing a connection back to the threat actor’s remote command and control server and exfiltrating data. It also can be used to install additional malware modules.
Protecting Against Fileless Malware
Given the difficulty of identifying fileless malware, organizations need to alter their approach. They should look beyond just standard anti-virus and endpoint detection technologies.
While traditional anti-virus programs will miss fileless malware attacks, there are a few cyberhygiene steps organizations can take to reduce their vulnerability.
First, remember that many of the fileless malware attacks identified over the past 18 months used Microsoft PowerShell or Windows Management Instrumentation (WMI). Organizations can cut off these entry points by disabling PowerShell and WMI.
Then, IT security analysts should also periodically review security logs for evidence of abnormal amounts of data leaving the network. This could indicate a fileless malware breach.
While these tools and procedures can help mitigate some of the risk, they simply can’t cover every network device, application and mobile/IoT device. Organizations should therefore consider network detection as an additional layer of defense. Network-based solutions provide organizations the ability to detect and contain fileless malware before it gets to the host, while endpoint tools can provide the final line of defense.
By combining endpoint and network detection, organizations will be able to outsmart these stealthy fileless threats and significantly mitigate potential damage from a cyberattack.