What Hackers Know About Fileless Malware (And You Should Too)

Home » Cybersecurity Blog » What Hackers Know About Fileless Malware (And You Should Too)

fileless malware
Fileless Malware is one of the top cyber threats that can infiltrate your network and cause serious damage. Take a look at what hackers know about fileless malware and you should too. Read More

Fileless Malware is one of the top cyber threats that can infiltrate your network and cause serious damage. Take a look at what hackers know about fileless malware and you should too. 

What is Fileless Malware?

Fileless malware is malicious code that does not require using an executable file on the endpoint’s file system besides those that are already there. It is typically injected into some running process and executes in RAM. This makes it far more difficult for traditional AV and other endpoint security products to detect or prevent because of the low footprint and the absence of files to scan.

There are many ways to run code on a device without using executable files. These often utilize systems processes available and trusted by the OS.

A few examples include:

  • VBScript
  • Jscript
  • Batch files
  • PowerShell
  • Mshta and rundll32 (or other Windows signed files capable of running malicious code).

Another type of attack that is considered fileless is malware hidden within documents. Although such data files are not allowed to run code, there are vulnerabilities in Microsoft Office and PDF readers that adversaries can exploit to obtain code execution. For example, an infected document could trigger malicious PowerShell command. There are also a few built-in functionalities that allow code execution within documents, like macros and DDE.

How Does Fileless Malware Work?

Traditionally, AV and other endpoint security products have focused on files (executables) to detect and prevent malware. There are several advantages to this. Files can be hashed, queried in reputation services, examined by both static analysis and machine learning, and easily excluded for false detections.

But for many attackers, the name of the game is monetary gain: threat actors aim for cost-effectiveness, seeking the highest return for the least amount of effort. Yet the rewards for creating and delivering file-based malware diminish as soon as it ends up on public feeds. If the malware’s signature is detected two days after release, the attacker’s ROI (return on investment) may be significantly less than expected, or even negligible. Another reason fileless malware is compelling to threat actors is that security products cannot just block the system files or software utilized in these attacks.

Over the past few years, threat actors have increasingly turned to fileless malware as a highly effective alternative. Source

What Hackers Know About Fileless Malware

One of the reasons fileless malware is so compelling is that security products cannot just block the system files or software that are utilized in these kinds of attacks. For example, if a security admin blocked PowerShell, IT maintenance would suffer. The same applies to blocking Office documents or Office macros, which would likely have an even bigger impact on business continuity.

The lower footprint and lack of “foreign” executables to scan make it difficult for traditional AV and other endpoint security products to detect or prevent these kinds of attacks.

Enterprises understand that the lack of effective protection from fileless malware could leave their organization extremely vulnerable. As a result, security vendors came under pressure to address this growing threat and created all kinds of patches to claim (or demo) their “file-less attack” coverage. source

File-less Attacks

Fileless ransomware is a type of malware that does not rely on traditional file-based methods to infect a system. Instead, fileless ransomware uses malicious scripts or code that can be injected directly into memory or executed through legitimate application programs. This makes fileless ransomware more difficult to detect and remove, as there are no files left behind for security programs to scan and identify.

Fileless ransomware is often spread through phishing emails or malicious websites that exploit vulnerabilities in web browsers or other software programs. Once a system is infected, fileless ransomware can encrypt important files or steal sensitive information. In some cases, fileless ransomware can also give attackers remote access to an infected system.

Examples of Ransomware: 7 Cyber Security Trends To Fight Back

How to Protect Against Fileless Ransomware

There are several steps that can be taken to help protect against fileless malware attacks, including:

  • Keeping your software updated with the latest security patches
  • Using a reliable anti-virus or anti-malware program
  • Avoid opening suspicious email attachments or clicking on links in emails from unknown sources
  • Installing and running a firewall
  • Backing up important files and data regularly

PowerShell Attack Vectors

There are a number of different attack vectors that can be used to launch a fileless ransomware attack. Some of the most common include:

  • Malicious scripts or code embedded in email attachments or websites
  • Exploits that take advantage of vulnerabilities in web browsers or other software programs
  • Infected USB drives
  • Social engineering techniques that trick users into running malicious code

Some recent examples of fileless based attacks and exploits include Petya, WannaCry, Locky and many more.

Fileless Malware Detection Techniques

Unfortunately, many of these attempts to solve the problem are less than ideal. Here are some of the common solutions, and why they are inadequate:

  • Blocking PowerShell – as noted above, PowerShell has become an essential tool for IT teams and has largely replaced Microsoft’s old cmd tool as the default command-line utility. Blocking it would cause severe disruption to IT teams. More importantly, from a defensive point of view, blocking it would be futile: there are other ways to use it that bypass the PowerShell.exe block. To name a few:
    • Run PowerShell with dlls only with a simple rundll32 command using PowerShell.
    • Convert PowerShell scripts into other EXE files with tools like PS2EXE
    • Use malware that utilizes its copy of PowerShell.exe or modifies the local PowerShell to avoid recognition of PowerShell by security products
    • Embed a PowerShell script in the pixels of a PNG file and generate a one-liner to execute it using Invoke-PSImage
  • Blocking MS Office macro files – in an attempt to eliminate this attack vector, Microsoft added an option to disable macros as a site setting (starting in Office 2016). However, most environments still allow them, so security vendors have mainly tackled this in two ways:
    • Block macros across the board – this enforces the same restrictions being offered by Microsoft for organizations that can do without
    • Extract the macro code for static analysis or reputation checks – This can work in some cases. However, the shortcoming of this approach is that such code is extremely difficult to classify and detect within a tolerable false positive rate, especially for never-seen-before malicious macros. In addition, very few repositories of benign and malicious code exist. Another option is looking for common functions typically found in attacks, but again these are variable and not widely cataloged.
  • Server-side detection – Some products use agent-side monitoring only and make the decision on the server or in the cloud. This approach has the same disadvantages as any detection that does not happen on the

What can be done to mitigate such attempts?

The key is to look at the behavior of processes executing on the endpoint rather than inspecting the files on the machine. This is effective because, despite the large and increasing number of malware variants, they operate in very similar ways. The number of malware behaviors is considerably smaller than the number of ways a malicious file might look, making this approach suitable for prevention and detection.

The behavioral approach is extremely good at detecting and preventing this type of attack because it is agnostic regarding the attack vector.

How to Detect Fileless Malware

Through our Managed Detection and Response service, Cybriant’s security team monitors all activities on the agent-side at the kernel level to differentiate between malicious and benign activities. Since the agent already holds the full context: users, processes, command-line arguments, registry, files on the disk, and external communication, any malicious activity can be effectively mitigated completely. We can roll back all the bad deeds and allow the user to work on a clean device.

We help you waive the hidden costs of keeping your network clean from bad code, across your entire network.

To implement this approach effectively, Cybriant employs the concept of “Active Content”, which solves the problem of apportioning blame to the root cause of malicious activity.

For example, suppose a user downloads a malicious attachment via Outlook, which then tries to encrypt files on the disk. In this scenario, blaming and quarantining Outlook as the parent process would miss the true source of malicious activity. Instead, Outlook should be included as the source for forensic data to show but not mitigate against. You do, however, wish to mitigate the entire threat group, regardless of any additional files dropped, registry keys created, or any other harmful behavior.

Using Active Content lets us determine — and point the blame towards — the root cause of a given malicious flow, with or without a file, and allows the customer to handle the incident accurately. Source

Learn more about MDR from Cybriant