Security

Fileless malware: The smart person's guide

Fileless malware uses system files and functions native to the operating systems to evade detection and deliver its payload. Learn more about this invisible threat and the best approach to combat it.

Typical malware detection software functions based on signature detection or identifiable pieces of code that are unique to a particular type of infection. Other malware, such as ransomware, doesn't always leave a trace per se; however, through heuristics scanning, the behaviors specific to ransomware may be detected and halted, allowing users to take action to protect their data.

But how do you protect against an infection that does not have a signature that clearly identifies it or that performs a behavior that is out of the norm, such as encrypting hundreds of files per second? Furthermore, what can be done when the very commands and applications being called forth by the infection are native to the operating system and are used to perform actual management tasks?

These are characteristics of fileless malware, which is a type of malware that does not rely on virus-laden files to infect a host, but rather attacks a system from the inside to execute malicious code in resident memory. Its attack methods use stealth approaches to mask the commands it employs to not only keep access hidden, but also to conceal network traffic between infected hosts and remote command & control (C&C) servers, leaving a backdoor open for future malware attacks to occur.

This smart person's guide details what you need to know about fileless malware and the ways in which it operates, so that you may best protect against it.

SEE: All of TechRepublic's smart person's guides

Executive summary

  • What is fileless malware? Fileless malware is a type of malware infection that uses a system's own trusted system files and services to obtain access to devices while evading detection. It may be paired with other malware types to deliver multiple payloads.
  • Why does fileless malware matter? As malware continues to grow and evolve, the threats are becoming more sophisticated, and it is increasingly difficult to detect these threats, let alone stop them.
  • Who does fileless malware affect? Fileless malware is targeting corporate networks, particularly financial institutions. However, given that threat actors are pairing this with other forms of malware to deliver additional payloads, it is expected to grow into something that affects all computers users— personal and businesses alike.
  • When is fileless malware happening? Fileless malware, or memory-based malicious code that exists in RAM, has been around for quite some time. Though given some of the tools that are being used to manage systems, the invisible malware has seen a sharp increase in utilization in the past couple of years.
  • How do I avoid infection by fileless malware? Fileless malware infections are extremely hard to detect without forensic software to confirm the compromise. Businesses can implement strategies to minimize the exposure to infection, or at the very least, mitigate the spread of the infection to other devices on shared networks.

SEE: Download: 10 ways to minimize fileless malware infections (TechRepublic)

codeistock-521971811stevanovicigor.jpg
Image: iStock/stevanovicigor

What is fileless malware?

Fileless malware uses a system's built-in services, management commands, and applications to infect the host. By using the system's existing applications, a threat actor can leverage privilege escalation to execute commands used to manage the system (e.g., PowerShell) to create scripts that are run from the system's memory, making it appear as a normally running process that is virtually undetectable.

Attackers typically use these system commands to create hidden shares where they store scripts that have been used to compromise systems, such as creating network proxy connections; those connections are used to communicate with remote command & control (C&C) servers that are maintained by threat actors for additional payload delivery.

Additional resources:

Why does fileless malware matter?

Let's face it, malware is not going away anytime soon. And with the prevalence of threat actors using their technical capabilities to attack business and personal networks, any advancements that allow them to exfiltrate data, encrypt user data in exchange for a ransom, or otherwise prevent access to services means it will take more effort and resources to secure devices on networks.

Fileless malware is especially worrisome because the infection vectors could be anything, but the indicators of compromise (IOC) can vary from infection to infection and depend on the attacker's goal. Infections are defined as an Advanced Volatile Threat (AVT) that can persist in the infected machine's memory, the registry, or combined with additional payloads for more targeted attacks in the future, such as inclusion as part of a group's botnet.

Additional resources:

Who does fileless malware affect?

Fileless malware affects everyone that uses a computer. Based on attacks reported thus far, the main targets linked to compromises utilizing fileless malware have been networks in the financial sector. This is mainly due to the undetectable nature of the infection, which allows for stealthy data exfiltration to occur while leaving little trace the attack ever occurred.

Additional resources:

When is fileless malware happening?

Malicious code has existed for decades. Fileless malware is a relatively newer threat per se, but it's ultimately based on the concept of malicious code.

SEE: Video: Why organizations need ethical hackers now more than ever before (TechRepublic)

In recent years as malware attacks have increased, so have the tactics used by threat actors; fileless malware is one such tactic that has shown an increase in usage in the last couple of years. Given its adaptability to being joined with other types of malware for increasingly damaging payloads, recent stealth-based attacks paired fileless malware with ransomware to not only compromise a host, but also encrypt data and leave a backdoor for future attacks.

Additional resources:

How do I avoid infection by fileless malware?

Fileless malware is difficult to detect and, unfortunately, there is no surefire way to protect against it. There are several things to look out for that are based on a combination of known vectors of infection and the types of programs typically compromised to carry out attacks.

SEE: Computer Hacking Forensic Investigation & Penetration Testing Bundle (TechRepublic Academy)

Administrators and end users can work together to minimize the potential for infection, as well as mitigate exposure on affected systems. Follow this security plan:

  • Keep patches up-to-date;
  • Disable unnecessary services and program features;
  • Uninstall nonessential applications;
  • Install endpoint security;
  • Restrict admin privileges;
  • Monitor network traffic; and
  • Provide security training to end users.

Additional resources:

About Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...

Editor's Picks

Free Newsletters, In your Inbox