Decoded: Fileless malware

Fileless malware attacks evade traditional detection methods and are on the rise – but there are ways to tackle them

By Tim Ferguson

Wed 2 May 2018 @ 16:43

I thought malware always arrived in a dodgy file attachment?

It does in general. But while most malware is delivered in a computer file, there is also a variant that operates exclusively in computer memory. This ‘fileless malware’ doesn’t need to be stored on disk to function – it uses existing software, applications and authorised protocols to carry out malicious activity.

It’s further evidence of the increasing sophistication of cyberattacks that is making it significantly harder to stop threats from entering corporate networks and devices.

So how does it work?

Fileless malware is often described as ‘living off the land’, as it exploits software already stored on the victim’s machine. And often that’s software integral to the computer system, meaning it can’t be removed easily.

Software commonly used by fileless malware includes web browsers and Microsoft Office applications. It also functions on operating systems tools such as PowerShell (which is used to automate administration tasks on Windows), Visual Basic (VB) scripts and Windows Management Instrumentation (WMI).

How does it get onto systems in the first place?

Fileless malware often finds its way into organisations via web browsers. For example, a user could visit a compromised page, which then uses Flash to instruct PowerShell to connect to a stealth command and control server where it downloads a malicious script.

Other entry routes include weaponised Word documents containing malicious macros that are often used as part of spear-phishing attacks. Other techniques include memory exploitation, as seen in the EternalBlue exploit used by the WannaCry and NotPetya attacks in 2017, and reflective DLL injection, which involves the loading of a malicious DLL file straight into a running process, without the need for a DLL file to be present on disk.

Why should I be worried about it?

One major reason is that traditional antivirus is set up to detect malware before it hits the network, but fileless malware evades those defences.

With other types of malware, the payload is stored on disk as an executable file or script before being unleashed. Antivirus software is designed to detect the creation of a file and check it for signatures of known malware. If malware is detected, the file is deleted or quarantined before it can execute and cause damage.

But existing security strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern analysis or time stamping just won’t pick up fileless malware.

A potential weakness of fileless malware is that, as it works in-memory, it should only remain on the system until it is rebooted. However, cybercriminals are now adding persistence to the malware code so that it resumes following a system restart.

It sounds like fileless malware is tricky to spot

It certainly raises the bar for digital forensic investigators. As they rely on digital artefacts to ensure chain of custody and produce evidence that is admissible in court, fileless malware gives them very little to go on. In addition, evidence for fileless malware can only be obtained from a memory image obtained from a live running system.

How widespread is it?

According to McAfee Labs, fileless malware is on the rise. The McAfee Labs threat report for Q4 2017 found that PowerShell-based malware grew by 267 per cent in Q4 2017, and by 432 per cent year-on-year.

And Kaspersky Lab’s ‘Fileless attacks against enterprise networks’ report, published in February 2017, implicated a number of fileless malware variants as existing on 140 enterprise networks globally, with banks, telcos and government organisations particularly targeted.

Have there been any high-profile cases?

There have been a few. PowerWare, a ransomware written in PowerShell, targeted organisations via Microsoft Word in 2016, while the hack suffered by the Democratic National Committee made use of the technique, triggering the attack via phishing emails.

McAfee also uncovered a fileless malware campaign called Operation Gold Dragon that targeted the 2018 Winter Olympics, which was described as “an exemplary implementation of PowerShell malware in an attack”.

What’s the best way to deal with this type of malware?

As a basic first step, regular system reboots are likely to deal with some fileless malware. However, this won’t deal with variants that persist when a system is restarted. User education will also be useful, as it should help limit the chances for fileless malware to get into networks via phishing emails or rogue websites.

Ultimately, the best approach is to use behavioural analytics, which monitor the activity of applications and services, including communications between processes, unauthorised requests to run applications, and changes to credentials or permission levels.

For example, while many of the processes involved in fileless malware entering a network via a web browser are normal in isolation, the fact they happen concurrently is less normal, meaning they can be flagged and shut down before damage is done.

As discussed previously, threats are going to find their way into corporate networks with perimeter defences no longer adequate to deal with all modern cyberthreats.

Fileless malware is particularly good at getting through these defences, but if organisations take the right steps to monitor network activity and behaviour, they stand a good chance of being able to detect and respond before the damage is done.