Fileless Malware: The 'Undetectable' Threat Targeting Your Users
17 October 2017 00:00
Like many types of malware attacks, this threat can arise from a simple click of a link from an unsuspecting end user. The difference here though, is just how difficult it is to spot an infection.
You may have heard of ‘fileless malware’ under a different term - be it a “zero-footprint” or “non-malware” attack. But don’t be fooled, these two nicknames are practically misnomers, as a fileless attack often relies on a user downloading malicious attachment files, while leaving small traces on the computer which can be extremely discrete.
Fileless Malware: How it works
Before we delve into just how big of a threat fireless malware is, here’s a quick look at a step-by-step example of how cyber criminals use the technique:
Step 1: A user receives a typical spam email containing a link to a malicious website
Step 2: The unsuspecting user clicks the link
Step 3: They’re directed to the malicious website, which then loads Flash on their computer
Step 4: Flash, well-known for having vulnerabilities, opens Windows PowerShell (which can execute instructions through the command line while operating in memory)
Step 5: PowerShell downloads and executes a script from a command-and-control server
Step 6: The PowerShell script locates and sends the user’s data to the attacker
This technique leverages an operating system's built-in tools and capabilities to execute the malicious activity. The most common instances of fileless attacks are the abuse of Microsoft’s WMI and Powershell.
Why is it so difficult to detect?
Without a payload file to infect a system, antivirus software applications can't generate a signature definition based on the malware file's characteristics. This poses a problem, as the application simply does not know what to look for.
Adding to its detection difficulties is the fact that fileless malware uses the system's own commands to execute the attack. For instance, using the netsh command to create a network connection, assign it a static IP address, and configure it to use a specific proxy IP address is a perfectly normal, built-in function of the Windows command.
But if a script runs on a computer that performs that function without a user's knowledge, the newly created network connection could be used as a means to exfiltrate data from that system to another remote connection across the internet, all while having its traffic hidden from view through a proxy.
Why you and your business should care
Considered as an advanced volatile threat (AVT), the prevalence of this technique has increased dramatically as penetration testing tools such as Cobalt Strike and Metasploit have included Powershell modules.
The point-and-click nature of this capability coupled with the smaller malicious footprint on the end user has led to the rapid expansion and adoption of this style of attack from cyber-criminals.
The good news is that while the use of fileless malware is gaining traction around the world, it is still not as commonplace as other attacks. The bad news is that use is on the rise and the primary industry being targeted by these types of attacks are financial institutions, likely due to its stealth and minimal footprint.
Even worse news is that fileless malware is flexible enough to allow itself to be strung together with other attacks for multiple payload deliveries.
Security researchers have already identified several threat actors that are pairing fileless malware with cryptographic modules for ransomware that is difficult to protect against or injecting malicious code bundled with malvertising.
How to protect against an infection
When fileless malware first surfaced, it caused computers to run incredibly slow. Unfortunately for cyber criminals, this could act as a warning sign for users.
But, just like they always do, hackers rapidly enhanced their tactics and code to help fileless malware go unnoticed.
The best way to avoid an infection is to stop them before they happen. Here are four ways of doing just that:
- Apply security updates for your applications and OS - Old habits might be hard to kick, but you can't afford to delay security updates these days!
- Block the pages hosting the exploit kit - To become infected, you have to reach the infected website that hosts the exploit kit. Use a proactive security product to block the page as soon as you reach it.
- Block the communication between your PC and the attackers' servers - By doing this, the attackers won't be able to retrieve the data collected from your PC, so data exfiltration attempts will be futile.
- Block the payload delivery - If you're adequately protected and your security suite knows that the exploit kit is trying to connect to malicious servers, it will stop the payload delivery.