Cybersecurity threats have proliferated for years, and that shows no sign of stopping. One estimate, for example, is that damages due to cybercrime will hit $10.5 trillion by 2025.
One especially pernicious threat gaining new popularity: fileless malware.
Fileless malware attacks are particularly dangerous because, unlike traditional malware, they involve no files to scan — and therefore are harder to detect by conventional endpoint protection tools.
This article unpacks what fileless malware actually is, how bad actors launch fileless malware attacks, and how you can protect your data from these threats.
What Is a Fileless Malware Attack?
Malware (short for “malicious software”) is any intrusive software that can infiltrate computer systems to damage or destroy them or to steal data off of them. The most common types of malware attacks include viruses, worms, Trojans, and ransomware.
Most malware attacks are file-based. This means threat actors use executable .doc, .zip, or .pdf files embedded with malicious code. The goal is to fool users into opening those files to introduce the malicious script into the organization’s network. The malware can then steal passwords, delete files, lock computers, pilfer data, and so forth.
In contrast, fileless malware has no such file that users need to activate. Instead, this “memory-resident malware” operates from a victimized system’s memory. It also leverages existing vulnerabilities in a software program to infect it, take control, or steal data.
Moreover, this malware can successfully achieve its goals even if the victim does nothing more than click on a malicious link or unknowingly visit a compromised website — usually following a phishing email or social engineering attempt.
Yet another challenge is that fileless malware makes forensics difficult because it simply disappears when the infected system is rebooted.
According to the Internet Security Report for Q4 2020, fileless malware attacks in 2020 surged by almost 900 percent over 2019, suggesting that fileless malware attacks are surging in popularity as an attack tool.
Common Targets for Fileless Malware
Although fileless malware didn’t really come into its own as a serious threat vector until 2017, it’s actually been around for much longer. Early examples include:
- Number of the Beast
- The Dark Avenger
- SQL Slammer
One of the most high-profile data breaches of 2017 — the Equifax breach that exposed the data of 147 million people — was also the result of a fileless malware attack.
Fileless malware leverages trusted, legitimate processes running on the operating system to attack a victim system. Many attacks leverage standard Microsoft Windows processes and safe-listed applications such as:
- Windows Management Instrumentation (WMI)
Macros are another common threat pathway for fileless malware attacks.
How Does Fileless Malware Work?
Considered a “low-observable characteristics (LOC) attack,” a fileless malware infection goes straight into the machine’s memory without touching the hard drive. It may then perform a malicious activity such as data exfiltration, credential theft, lateral movement, reconnaissance, privilege escalation, and the delivery of malicious payloads.
Types of Fileless Malware Attacks
Some major fileless malware threats that organizations should be prepared for are:
Reflective Self-injection (or Loading)
A reflective loading fileless threat loads a portable executable (PE) directly from the victim system’s memory. Since the malware doesn’t load from the hard drive, it isn’t registered as a loaded module within the process. Therefore, it leaves no footprints that can be traced later. PowerShell is a commonly used application to load crafted scripts for PEs and execute fileless malware attacks.
Reflective EXE Self-injection
In this type of attack, a function or script loads an executable (EXE) file. Like a PE, the EXE also doesn’t get registered as a loaded module in the process, leaving no trace. Threat actors often leverage a PowerShell script to inject an EXE into the PowerShell process itself.
Reflective DLL Remote Injection
A crafted function or script is again leveraged to load a DLL without getting registered as a loaded module. The injection happens into a remote process and is not detected by endpoint monitoring tools, allowing attackers to launch a stealthy attack.
Malicious Code Execution
Here, a threat actor tries to execute malicious shellcode using the DotNetToJScript technique. This fileless approach allows the attacker to load and execute malicious .NET assembly from the system memory along with the help of .NET libraries exposed via COM. No part of the malicious .NET DLL or EXE touches the computer hard drive, so it remains undetected.
5 Strategies to Prevent Fileless Malware Attacks
Fileless malware attacks have a high success rate because they leverage common system tools, software, and applications. Even worse, signature-based prevention and detection methods cannot identify or detect them, giving threat actors the freedom to cause more mischief.
Fortunately, one can prevent fileless malware attacks. The key is to leverage an active, holistic approach that incorporates multiple elements, including:
Fileless attacks originate at the endpoint, so it’s important to harden endpoints with security updates, patches, vulnerability remediation, and two-factor authentication. Advanced endpoint security solutions can provide vulnerability assessment, exploit and memory protection, and desktop firewall to further harden endpoints without affecting their functionality.
Blocking unauthorized applications and code from running on servers, desktops, and devices can lower the threat of fileless malware attacks. Further, a safe-listing security solution can separate the “good” software from the “bad” to prevent problems with accessing legitimate tools.
User behavior analytics (UBA) is a good way to identify hidden threats and increase the accuracy of security operations. UBA is also useful as a forensic analysis tool to investigate fileless malware attacks.
Interactive Threat Hunting
An endpoint detection and response (EDR) tool investigates unusual behaviors on endpoints. It also searches for and reveals footholds that may indicate an ongoing fileless attack.
Centralized Security Management
A unified platform that centralizes security management, monitoring, and control is essential to prevent fileless malware attacks. It streamlines security management through advanced visibility into the organization’s entire threat landscape.
Stay Safe From Cyber Risks and Fileless Malware Attacks With ZenGRC
The strategies discussed in this article are effective at preventing fileless malware attacks. Meanwhile, cyber threats are always evolving.
Any organization’s security toolkit should include a comprehensive threat detection and mitigation platform like ZenGRC. ZenGRC can detect fileless malware threats and strengthen cybersecurity to minimize risk exposure.
Contact us to talk to a cybersecurity expert at Reciprocity today to understand your organization’s vulnerability to fileless malware attacks and learn more about ZenGRC.