As the name suggests, fileless malware does not rely on any physical files being transferred and stored on the infected machine. Instead, fileless malware works by hijacking the functions of legitimate programs and services to carry out malicious actions.
This usually takes the form of process injections or registry tampering. Examples of fileless malware that are commonly encountered are:
- Kovter
- Poweliks
- Divergent
- LemonDuck
However, fileless malware can also be executed in memory via mundane, every-day programs like a web browser, PDF viewer, or spreadsheet software. In Windows environments, WMI (Windows Management Instrumentation) and PowerShell are common services hijacked for fileless attacks.
Malware files are usually the most obvious IoC (Indicator of compromise) that’s the easiest to detect with antivirus software or manually. The main motivation behind fileless attacks from an attacker’s point of view is that it eliminates the most obvious footprint.
Why Should Your Organization Be Concerned About Fileless Malware?
According to a report by Cisco, fileless malware was responsible for 30% of all detected IoCs from January 1st to June 30th, 2020. This probably means it was the most common form of attack against corporate endpoints.
The very nature of fileless malware also makes it a threat that should be taken seriously. Because it leaves behind very little evidence, it can only be detected by the most sophisticated security solutions. This increases the time to detect and delays any remedial actions – resulting in potentially catastrophic damage.
It’s the perfect launching pad for an APT (advanced persistent threat) attack that lies dormant within the compromised system. Attackers then lie in wait, either slowly trickling away precious data or waiting for opportunities to score big. It can also act as a springboard for future attacks.
How to Find, Remove, and Prevent Fileless Malware Attacks?
Luckily, methods of detecting and responding to fileless malware attacks have been well-documented. It’s more an issue of staying in accordance with best practices and having appropriate Incident Response (IR) in place.
Monitor the System Behavior
As mentioned, the most common fileless malware piggyback on legitimate, privileged processes such as PowerShell or WMI. Closely monitoring these services for unusual activity is usually the most effective way to detect fileless malware, for example:
- Remote command execution by PowerShell
- Elevating standard user privileges to administrator privileges without authorization
- Unfamiliar processes executing in main memory
- Suspicious modifications to Windows registry keys
- Certain event IDs captured in Windows logs
Rule-Based Detection
Fileless attacks most commonly spread over the internet via botnets that find vulnerable applications to hijack. These programs, such as Microsoft Office or a web browser then execute command-line or PowerShell commands at run-time. Rule-based detection might be able to detect when these types of executions are malicious instead of benign.
Other forms of detection, like making use of machine learning to study malware behavior and automate defense are becoming more widespread. Enterprise endpoint security software are relying on this method more and more.
Preventing fileless attacks altogether is much more challenging. A simple action, like opening an unsafe email or running a browser-based Flash application can trigger an infection. The most effective defense is a robust Incident Response process. This includes:
- High-quality and updated malware detection and remediation software
- An IR team on retainer or in-house
- Organization-wide awareness and training
- A standardized response plan with reproducible steps, e.g.:
In Conclusion
With the knowledge of how fileless malware works as well as how to find, remove, and prevent fileless malware attacks, it’s time to bolster your organization’s defenses against this stealthy and harmful type of exploitation.
References
Computer Security Incident Handling Guide
