Criminal hackers are stripping away the files that clothe malicious software and injecting code, commands and instructions for native Windows tools straight into your computer’s RAM to launch attacks undetected.
This stealthy approach lets fileless malware use each system it infects as a stepping-stone to the next one, moving deep inside your network. By applying detection and prevention capabilities that work together to fight the fileless threat, you can resist, or at least recover, and get back on your feet.
Fileless Malware Mechanics
Attackers traditionally install malicious software files on computer hard drives, which serve as the system’s primary data storage units. When the files begin to run, the commands, instructions and code in the file enter the RAM and start their evil work.
But fileless malware skips the first part, injecting itself straight into the RAM where it is immediately active; there is no file, and the malware never touches your hard drive. In this case, the commands and instructions are for native Windows tools such as PowerShell, and the code uses these tools to wreak havoc. It is hard for security software to detect fileless malware because malware scanners scour hard drives looking for infected files.
Fileless malware rides in on equally stealthy attack vectors: drive-by attacks when users visit infected websites; “malvertising,” where a bogus web ad spews the code onto your system; and phishing attacks that trick users into opening or clicking something in their email.
Fileless malware gains administrative control and leverages native Windows tools so that the attacks look like normal system behavior. For this reason, fileless malware can go undetected.
Fileless malware doesn’t stop there. It enables lateral movement as it leaps from one infected system to inject and infect the next one, gaining control of more computers as it makes its way across the network and into your most sensitive information. Fileless malware can steal data or permanently destroy your original data and your backups.
Detection and Prevention
Particular technologies work together to detect or prevent fileless malware:
- Telemetry collects remote measurements from systems and informs security vendors about fileless malware that gets past their defenses. Vendors can then update their products to address the threat.
- Threat Intelligence is informed by Telemetry data, which also includes the context and instrumentation of the threat, indicators that confirm the presence of the threat, data and rankings on the threat’s likelihood and risk, and the security measures you can take. Threat intelligence informs software vendors on the success of fileless malware so they can write patches for systems to make them resistant. For instance, PowerShell versions 5 and later are resilient in the face of fileless malware. You can use threat intelligence to inform your security settings and system-hardening efforts in-house.
- Heuristics is another essential component to fend off fileless attacks. It looks at what potentially malicious code does once activated. Security tools capture the code in a sandbox (a virtual machine to encase the code while the security tool experiments with it) and then blow it up (execute it) to see whether something malicious happens.
- Machine learning and End-User Behavior Analytics (EUBA) are the final tag team that learn the baseline of normal user behavior to identify abnormal activity, usually associated with fileless malware. Together these technologies detect, for example, whether a supposed human being logs into systems and data all hours of the day like an automated attack would do, or logs into departments where they don’t work.
Beyond all this, vendors are already shopping for security tools that scan the RAM directly, looking for fileless attacks.
As fileless malware and lateral movement take intruders deep into your network, they may eventually call back across the internet to download additional malicious software files such as cryptographic tools to complete other nefarious tasks such as ransomware attacks.
For this reason, recovering from fileless malware attacks means patching both the vulnerabilities that let fileless malware in, and the imperfections that allow file-based malware to enter and do damage, too.
You should use the security tools you have across the enterprise to orchestrate detection and forensics end-to-end to determine where the infection has spread. You need to clean infections, block associated traffic and restore from safe, reliable backups.
Make Fileless Malware Homeless
Fileless malware is as insidious as it sounds. But that should only last as long as it takes to correct your security measures and posture, and give it the boot. That correction means updates to one or more existing security tools at least, and perhaps some new security mechanisms, as well as new patches and configurations wherever fileless malware finds a crack in your armor.