Fileless Malware – What You Need to Know


September 20, 2017

Malware is getting ridiculous. All these new variants…its like a horror movie anthology that airs regularly on your local public access TV channel. Every week there’s something new to be afraid of. So…just when you thought it was safe to go in the water….bum bum buuuuuuuuuuum…Fileless malware!

Okay…you can stop rolling your eyes. Kidding aside, Fileless malware is a thing you should be very, very cautious of. It’s out there and it’s waiting to strike.

What is Fileless malware?

“Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM. It is part of the family that has been defined as an Advanced Volatile Threat (AVT).[1]

It does not write any part of its activity to the computer’s hard drive meaning that it’s very resistant to existing Anti-computer forensics strategies that incorporate file-based white-listing, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify illegitimate activity.

As malware of this type is designed to work in-memory, its longevity on the system exists only until the system is rebooted.”

– Fileless Malware, Wikipedia

Let’s break down how traditional malware gets deployed and detected on your end-p0int (if equipped with an anti-virus product) to get a better understanding of how fileless malware is different:

  • The infection places files on the hard drive
  • The antivirus analyzes the malicious files (aka the payload)
  • If identified, the antivirus quarantines and/or removes the malicious files, keeping your computer safe.

The difference is very apparent. Fileless malware doesn’t have any files. That means fileless malware can’t be detected by typical means… ‍♂️

How Does Fileless Malware Work?

Fileless malware gets its name by not leaving files on disk. Instead, it stays memory resident and executes commands that already exist on the machine. Often, fileless malware uses a tool like PowerShell to coordinate attacks and uses a Meterpreter1 payload that employs in-memory DLL injection stagers to set up additional attacks.

Because fileless malware leaves no trace on disk, detection by standard antivirus (AV) tools, which often use signature files to identify static files on disk, is much more difficult.

Two families of fileless malware, Poweliks and Kovter, use similar techniques to infect a system. First, JavaScript code is written into the registry under the Run key along with an AutoRun entry that is used to read and decode the encoded JavaScript.

In the second stage of the attack, PowerShell is used to de-crypt and inject a malicious .dll into a standard Windows process. This technique allows the malware to stay resident in memory and evade traditional AV defenses.

Fileless, memory-based malware has been known for years in the security industry, but increasingly is being used for significant monetary gain. Several attacks detected over the past few months that rely heavily on PowerShell, open-source tools, and fileless malware techniques might be the work of a single group of attackers.

A few high-profile examples of recent fileless malware attacks include the semi-recent attack on the Democratic National Committee in 2016:

In that instance, the fileless malware injected itself into running processes to identify credit card data and copy it during a narrow window of opportunity before the data was scrambled. Approximately 110,000,000 records worth of payments, transactions, and other personally identifiable data were intercepted.

This attack was carried out almost entirely using PowerShell and Windows Management Instrumentation, a set of specifications from Microsoft for consolidating the management of devices and applications in a network. Detect and stop fileless malware with local endpoint artificial intelligence models, preventing these sophisticated cyber-attacks from ever being successful.

How You Can Protect Yourself

Ah, the million dollar question. Is there a way to protect yourself from fileless malware? The answer is yes.

We’ve said it before and we’ll say it again, as a Managed Security Services Provider, it’s up to us to help find solutions to our customers’ problems. Malware, in all it’s forms, is a big big problem.

It’s why we’ve partnered with Cylance , Cybereason and Zscaler.

How Cylance Protects You:

While most fileless attacks still rely on spam or spear phishing as the initial attack vector, we know that it is simply not realistic to block all email attachments in enterprise environments. Security controls should not be so restrictive that they compromise business operations, nor should they cause employees to attempt to circumvent them in order to carry out basic job duties like reading email.

CylancePROTECT uses multiple protection elements to stop this type of threat before it causes any damage. CylancePROTECT memory defense provides protection against process injection attack techniques, and the script control provides robust protection to prevent malicious scripts being used in concert with PowerShell.

How Cybereason Protects You:

Cybereason follows a four step process to help protect your from malware (both the fileless and standard malware types)

Collect – Silent sensors are quickly deployed on endpoints and servers collecting telemetry in real time. No reboots and no disruptions.

Detect -Cybereason’s Analytics Engine queries data at a rate of 8 million questions a second across the entire environment, augmenting your existing team with technology not more bodies.

Hunt – Their Hunting Team goes on the offensive, profiling your environment using our analysis platform to find the low and slow insidious activity missed from signature-focused tools and teams.

Report – Cybereason will present a comprehensive report of incidents, findings and recommendations to close gaps and improve your security posture.

The best thing about RansomFree from Cybereason? It’s free and you can download a copy of it for yourself right here.

Cybereason has a great video regarding the subject as well and we encourage you to watch it here.

How Zscaler Protects You:

The Zscaler service uses an industry-leading AV vendor for signature-based detection and protection so it can provide comprehensive anti-virus protection. In addition to anti-virus and anti-spyware blocking, the service uses “malware feeds” from its trusted partners; such as Microsoft and Adobe; as well as its own technologies to detect and block malware. 

The Malware policy applies globally, to all an organization’s locations. Zscaler recommends that you do not change the default policy.

Carl Keyser is the Content Manager at Integris.

Keep reading

What to Know Before Installing Copilot for Microsoft Word

What to Know Before Installing Copilot for Microsoft Word

Imagine having an AI assistant that pulls from your notes, marries them to an existing document format, and writes a document for you. That's the power of Copilot for Microsoft Word, which is planned for rollout in 2024 for those who buy the Copilot M365 license....

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...