When you get tricked by a phishing mail and open a document attachment that has a malicious macro or a link to a malicious site, or you download an infected application, there’s a file that antivirus software can scan as it’s saved to or opened from disk, and there’s a trail of file activity that you can look back at if you’re trying to review the damage done. To get around those protections, attackers are starting to use ‘fileless’ malware where the attacks run directly in memory or use system tools that are already installed to run malicious code without saving files that antivirus software can scan. (Note: This article about fileless malware is available as a free PDF download.)

That could mean tricking a user into running a script that executes a .NET binary directly from memory, like Sharpshooter which downloads the malware payload via the text records of DNS queries. Or it could mean sending malicious network packets that exploit the EternalBlue vulnerability and install the DoublePulsar backdoor in kernel memory. It could mean storing the malicious payload in the Registry as a handler for a file extension so it runs when you open a normal file with that extension. Kovter, for example, used that to download Mimikatz and steal credentials, putting the payload in a DLL that’s encoded into a string and run with a PowerShell command, installing a malicious PowerShell comment in the WMI repository and configuring it to run at regular intervals. The malicious code could even be in device firmware or a peripheral like BadUSB; that way, the payload can run in memory and keep coming back even if you reboot, reinstall Windows or reformat the disk.

SEE: Special report: Cyberwar and the future of cybersecurity (free PDF) (TechRepublic)

Fileless techniques can be extremely advanced, and they are harder for traditional antivirus software to detect. But not every advanced malware attack is fileless and throwing the term around doesn’t help organisations defend against it, Tanmay Ganacharya told TechRepublic. Ganacharya runs the Microsoft Defender threat research team, which analyses new threats and builds models to detect them. “Fileless is such an overused term, and it has gone from the truly fileless threats, to now people wanting to call almost everything that is even slightly advanced fileless and making it slightly buzzwordy,” he says.

To demystify the term, the threat research team started categorising fileless attacks based on how they get onto a PC and where they’re hosted. There are more than a dozen combinations of those ‘entry points’ and malware hosts being used for fileless attacks — some of which are very sophisticated and are rarely used for targeted attacks, and some of which have been commoditised and are showing up more often for common attacks like trying to run a coin miner on your system. But they fall into three broad groups.

“Type one is truly fileless, where the attack is delivered on the network or from a device, the payload is handled in memory and almost nothing touches the disk at all,” says Ganacharya. EternalBlue and BadUSB are truly fileless attacks — and they’re rare. “These are truly the most advanced attacks out there, but most of the attacks that get called fileless don’t belong in this group. This kind of attack and exploitation has been getting harder and harder, so it’s difficult for these to become commoditised.”

Type two is a little more common, Ganacharya says. Type two attacks do use files, but not directly, so they still count as fileless. “Think of scripts being used to launch attacks, whether it’s JavaScript or PowerShell. We see a few that target the MBR and try to render machines completely useless so they won’t boot. But they mostly use the registry and WMI and various other mechanisms like PowerShell to leverage some of the tools that are already present on the system to sequence setup activities.”

That’s called ‘living off the land’, and it’s hard to detect with standard antivirus tools because those legitimate tools don’t trigger warnings and the files malware does save are obfuscated and full of junk data that’s easy to change to create a new attack. You can’t clean it up by deleting files either, because you can’t just delete key parts of Windows like the Registry and the WMI repository.

The most common fileless attacks actually do use files, but they don’t run the attacks from those files directly. “Type three clearly start with a file whether it’s a document file with a macro in it, or a Java file, or Flash file, and sometimes even EXE files that drop certain files, but then persistence is fileless,” Ganacharya says. “So once the payload is dropped, the payload achieves persistence by either staying just in memory or staying in the registry and running from there.”

Many of those Type three attacks come from email, but the file attachments won’t show up as obviously malicious if an antivirus scans the files. “You don’t generally attach an EXE file, you attach a document with a macro and that links to another file and then that file goes and downloads the payload,” Ganacharya explains. VBA code doesn’t have a binary that antivirus software can scan, but it can load PowerShell scripts that download and run attacks.

How to detect fileless attacks

Since you can’t scan files to detect fileless attacks, you have to rely on scanning memory and spotting malicious behaviour. “You have to be able to scan injected modules in memory, because nothing ever touches the disk, and you have to be able to see as things get loaded into memory, whether it is a payload or shell code,” Ganacharya says. “You have to be able to see it, stop it and then kill the associated processes.” Extending that to cover the boot sector protects against boot sector attacks.

Behaviour monitoring spots malware that does malicious things, which includes all three types of fileless malware. Ganacharya: “Behaviour monitoring really applies across the board, right because anything that is fileless — whether it is fileless end to end or whether it has achieved fileless persistence — will have behaviour that indicates malicious activity. If it’s ransomware, it has to encrypt files, otherwise it’s not true ransomware, if it’s an info stealer it will have to steal some files or some information. So there will always be behaviours [to detect].”

To detect fileless attacks that rely on scripts, look for products like Microsoft Defender that use the Windows 10 Antimalware Scan Interface (AMSI) to check script behaviour at runtime.

“As script attacks and PowerShell attacks and VBScript-based attacks started growing, it became extremely difficult for security products to be able to deal with the many, many millions and billions and trillions of ways you can obfuscate something like JavaScript,” Ganacharya points out. “It’s so easy to obfuscate JavaScript and create variants of the same threat that don’t look similar at all. But for the JavaScript to run, the script engine has to obfuscate the code and create the sequence of instructions that it then executes.”

Any antivirus software can hook into AMSI and see that sequence — and as of September 2018 that includes Office macros.

“So instead of having to deal with a JavaScript file, or a PowerShell script file or Office macro code, and trying to reason on obfuscated content, as the script engine starts executing that content, it’s able to check inline with the installed antivirus whether the sequence of events represent malicious behaviour,” Ganacharya explains. “This made detections against JavaScript malware, PowerShell malware, any script-based malware extremely durable, because now we’re not in the cat-and-mouse game of trying to deal with the different ways JavaScript get can get obfuscated. We didn’t have to build heavy-handed parsers for all scripting languages that slow down end user machines: we just leveraged the script engine that’s on the machine that has to run anyway — and we’re able to see what’s happening and to stop it at the right point so that the actual malware never gets stood up.”

SEE: The Dark Web: A guide for business professionals (free PDF) (TechRepublic)

Microsoft Defender has already protected users against a lot of fileless malware through AMSI. Sharpshooter’s JavaScript is so heavily obfuscated that you can’t tell what it does by reading the code. But when the script starts running, it’s clear that it’s calling functions and passing parameters that start an application.

Defender also stopped a more recent and highly sophisticated attack using the Asteroth info stealer this summer, which was targeted at South America and attempted to steal credentials, keystrokes and other sensitive information using only existing tools in Windows in a sequence that’s hard even to follow with a diagram.

Here’s Ganacharya’s outline: “It tries to leverage existing components that shipped as part of Windows to help manage Windows and use them in sequence without having to drop a whole bunch of new content on the end user machine. So it’s an email with a ZIP file that has linked files in, which gets a BAT file, which runs WMIC, which goes and downloads an Excel file, which has super highly obfuscated JavaScript in it, which runs WMIC again, that goes and downloads another Excel file, uses Bitsadmin to then download a payload, uses Certutil to decode that payload, which is, eventually, a DLL, loads it, injects it, and then eventually tries to do the bad things that it does.”

Defender has behavioural detections for all the techniques used in this attack. “We actually blocked these attacks at the very first stage, but to show that not only do we detect the first stage, we detect all stages, we put the AV in audit mode and let it run and we saw that every single stage had a behaviour detection,” Ganacharya says. “We ended up saving every single machine that was targeted by this attack that was running Windows Defender, starting from patient zero.”

Endpoint detection and response tools like Defender are stopping fileless attacks, and you can see how attacks get detected using Microsoft Defender Advanced Threat Protection. But you should also be setting up attack surface reduction rules to disable functionality that you’re not using — like allowing Office apps to inject code into other processes, which is something a lot of ransomware exploits.

“Having Office apps create child processes is not common behaviour. There are a small handful of enterprises out there writing really complex macro code [that needs this] — and they should stop doing that!” Ganacharya warns. “But most organisations do not need this functionality enabled, especially not for departments like sales and HR and marketing where you don’t have a lot of engineers.”

The Locky ransomware used an email message with an Office attachment with a hidden formula that ran PowerShell to infect systems. “If you have just enabled the attack surface reduction rule that said block Office apps from creating child processes, you don’t have to worry that your solution has to be able to deal with all the things that are happening in these latter three stages — you will just stop the attack very early on, minimising damage in your network,” Ganacharya says.

“Just enabling attack surface reduction rules stops most of the zero days that were identified in the last year or so.”

Also see

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays