Fileless malware is software that uses legitimate programs to infect a computer. It’s challenging to remove because it doesn’t leave a file footprint. Attackers know of organizations’ anti-malware techniques and create sophisticated malware to evade these defenses. It seems they are playing a whack-a-mole game with the attackers for security teams.
Fileless malware has been increasing in popularity since its first appearance. According to the WatchGuard report, fileless malware attack rates grew by 900% by the end of 2020, compared to previous years. This growth is partly because you cannot scan a file that is not there. While fileless malware is not entirely undetectable, it can bypass traditional security methods such as antivirus, whitelisting, and endpoint security, making fileless infections effective.
What makes fileless malware so dangerous?
Traditional security solutions such as antivirus use signatures to identify malicious code. Since fileless malware is not technically a file, it doesn’t have a signature that security software can detect. You may think then that a behavioral approach could be more helpful. The problem is that fileless malware does not follow a pattern of behavior either. In addition, attackers often combine fileless with another type of malware, to maximize the possibilities of success. All these characteristics make fileless malware so difficult to detect with traditional tools.
How do attackers deliver fileless malware?
Fileless attacks are part of stealth attacks called Low-Observable Characteristics (LOC). These attacks evade detection by traditional security methods. Fileless malware works similarly to a virus. They go straight into memory without touching the hard drive. There are several stages in a fileless malware attack:
#1: Gaining Access
Remotely exploits a vulnerability and uses web scripting to access a system remotely. The goal is to get a starting point for the attack.
#2: Stealing credentials
The attacker now tries to obtain credentials for the compromised environment, enabling it to move laterally to other systems in the environment.
#3: Create Persistence
The attacker modifies the registry to create a backdoor that will allow them to return to the environment anytime.
#4: Exfiltrate Data.
Attackers use the file system to gather data and prepare it for exfiltration. They copy it in one location, compress it, and upload the data via FTP.
Common Fileless Malware Techniques
Fileless attacks may not need to install code, but this doesn’t mean they don’t use other techniques to achieve their purposes. There are several methods attackers use::
- Exploit kits: Exploits usually begin in the same way as other malware attacks with a victim lured via social engineering or phishing. The difference is that it gathers multiple exploits in a single kit. Once the kit gains access to the system, attackers use a central console to control it.
- Registry resident: it is an auto-installer that remains in the registry to support further intrusions. Since it stays on the system, it is a bit easier to detect it via antivirus software.
- Memory-only: because this malware resides in memory, it acts like a backdoor that helps the attacker access the organization whenever they want, move laterally, and exfiltrate data.
- Using fileless techniques in ransomware: Ransomware attackers are adopting the method of fileless malware attacks to insert malicious code into memory.
- Stealing credentials: stolen credentials are the starting point of most attacks nowadays, and fileless attacks are not an exception. They use the access information of an authorized user, usually one with a high level of permissions, which makes it easier to access the system. Once inside, they can steal data, or move laterally to critical parts of the system.
How to protect your organization against fileless malware
The issue when trying to protect your system against fileless attacks is traditional antivirus, and security solutions cannot detect them. Additionally, manual threat hunting for fileless attacks is a tedious and time-consuming task. It requires gathering and processing large datasets.
Still, a proactive approach such as threat hunting is necessary to prevent fileless attacks. A managed solution can avoid the time-consuming and tedious work manual threat hunting requires, optimizing the response time.
The key to preventing and defending your system against fileless attacks is to adopt an integrated approach that addresses the threat lifecycle as a whole. For instance, you should rely on attack indicators instead of Compromise indicators. It is a proactive way that indicates an attack is already in progress.
You should look for a solution that provides you visibility into what is happening in your system by discovering the techniques used by the attackers or having visibility over user activities. In addition, the solution needs to be able to respond to a detected fileless attack by remediating processes part of the attack and isolating infected devices.
To successfully protect against fileless attacks requires a holistic approach. A managed threat hunting solution can be used 24/7, monitoring the environment and searching for intrusions.