In the world of security, there’s never a shortage of new or interesting threats looming just around the corner. Even though it appears that the focus right now is on ransomware and how to best recover from it, IT professionals should be aware of newer, stealthier attacks making the rounds worldwide—such as fileless malware.
With a marked increase in usage among threat actors, fileless malware couples nearly limitless attack vectors with low detection rates to remotely control systems, exfiltrate data or combine with other exploits to deliver multiple payloads while simultaneously erasing its tracks—including using anti-forensic tools—to remain completely invisible.
What is fileless malware?
Fileless malware gets its name based on the fact that unlike other malware types, where files are used to infect a host, the fileless version typically does not use any files. Instead, the malware code resides in RAM or the registry or propagates through the use of carefully crafted scripts, such as PowerShell, to infect its host.
Considered an advanced volatile threat (AVT), fileless malware is capable of exploiting vulnerabilities in a system or application without writing files to the local hard drive. It typically requires administrative rights to the target device, which may be obtained by exploiting a vulnerability or other attack for privilege escalation.
How does it work?
Once access has been granted, for example, PowerShell may be used to execute a hidden command against the system, which varies depending on the intended goal of the attacker and length of time in which the attack is to take place.
Since fileless malware does not rely on endpoints to sustain connectivity, the window of time available to execute an attack is unknown since the system could be rebooted at any time. Thus, the attack residing in memory could halt immediately. This has led threat actors to plant registry entries to aid in ongoing attacks by setting scripts to run even after a system has been restarted.
Why is it so difficult to detect?
Without a payload file to infect a system, antivirus software applications can’t generate a signature definition based on the malware file’s characteristics. This poses a problem, as the application simply does not know what to look for.
Adding to its detection difficulties is the fact that fileless malware uses the system’s own commands to execute the attack. For instance, using the netsh command to create a network connection, assign it a static IP address, and configure it to use a specific proxy IP address is a perfectly normal, built-in function of the Windows command. However, if a script runs on a computer that performs that function without a user’s knowledge, the newly created network connection could be used as a means to exfiltrate data from that system to another remote connection across the internet, all while having its traffic hidden from view through a proxy.
Where is it being used?
The good news is that while the use of fileless malware is gaining traction around the world, it is still not as commonplace as other attacks. The bad news is that use is on the rise and the primary industry being targeted by these types of attacks are financial institutions, likely due to its stealth and minimal footprint.
Even worse news is that fileless malware is flexible enough to allow itself to be strung together with other attacks for multiple payload delivery. Security researchers have already identified several threat actors that are pairing fileless malware with cryptographic modules for ransomware that is difficult to protect against or injecting malicious code bundled with malvertising.