What is fileless malware and how does it work?
Fileless malware is on the rise, and it’s one of the biggest digital infiltration threats to companies, according to Symantec’s 2019 Internet Security Threat Report.
The magnitude of this threat can be seen in the Report’s finding that malicious PowerShell scripts — one of the key components of fileless malware attacks — increased more than 1,000 percent in 2018 and accounted for 89 percent of fileless malware attacks.
Fileless malware uses your system’s software, applications and protocols to install and execute malicious activities.
How does fileless malware work? And what can you do to stop it from infiltrating your computer systems and stealing your personal information? Here’s some help.
What is ‘fileless’ malware?
Fileless malware is a type of malicious software that differs from many other malware threats. Here’s why.
Cybercriminals often seek ways to install malicious files on your computer. But a fileless attack doesn’t require that. Instead, fileless malware is sneakier in its activation of tools, software and applications that are already built in to your operating system.
That malware then hides in your system.
Fileless malware piggybacks on legitimate scripts by executing malicious activity while the legitimate programs continue to run.
Here’s the challenge: Fileless malware can remain undetected because it’s memory-based, not file-based.
Antivirus software often works with other types of malware because it detects the traditional “footprints” of a signature.
In contrast, fileless malware leaves no footprints for antivirus products to detect.
How does fileless malware work?
Fileless malware can be effective in its malicious activity because it’s already hiding in your system and doesn’t need to use malicious software or files as an entry point.
This stealthiness is what makes it so challenging to detect fileless malware and that enables it to harm your system for as long as it remains hidden.
The following is a few scenarios in which fileless malware can use your system’s software, applications and protocols to install and execute malicious activities.
- Phishing emails, malicious downloads, and links that look legitimate as points of entry.
When you click on these links, they load to your PC’s memory, enabling hackers to remotely load codes via scripts that capture and share your confidential data.
Malicious code can be injected into already-installed, trusted applications, which can then be hijacked and executed.
- Native and highly trusted applications like Windows Management Instrumentation (WMI) and Microsoft PowerShell.
Fileless malware targets these legitimate programs remotely. That can make it more challenging for security programs and analysts to catch. In the case of PowerShell attacks, for instance, fileless malware embeds malicious scripts into legitimate PowerShell scripts — essentially going along for the ride as it runs normal processes.
- Lateral infiltration.
What makes these attacks more widespread are tools like Microsoft PowerShell, which can be used to infiltrate multiple machines.
- Legitimate-looking websites that actually are malicious.
Cybercriminals can create fraudulent websites that are designed to appear like legitimate business pages or websites. When users visit these pages, the websites look for vulnerabilities in the Flash plugin, which allows malicious code to run in the browser memory.
The key is that fileless malware isn’t written to disk like traditional malware. Rather, fileless malware is written directly to RAM — random access memory — which doesn’t leave behind those traditional traces of its existence.
But there’s more. This type of malware works in-memory and its operation ends when your system reboots. This adds another layer of challenge to the forensics that would help you figure out what happened and know what to look for to prevent future attacks.
Types of fileless malware attacks
There are three primary categories of fileless malware attacks.
Windows registry manipulation
Windows registry manipulation involves the use of a malicious file or link that, when clicked on, uses a normal Windows process to write and execute fileless code into the registry.
Examples of this include Kovter and Powelike, which can transform your infected system into a click bot by connecting with websites and click-through ads.
Memory code injection
Memory code injection techniques involve hiding malicious code in the memory of legitimate applications. While processes that are critical to Windows activity are running, this malware distributes and reinjects itself into these processes.
These fileless attacks leverage known vulnerabilities in browsers and programs like Java and Flash, and phishing campaigns to gain entry and run code in the target computer’s memory.
The major challenge with fileless malware is detection. Fileless malware attacks use legitimate Windows programs like PowerShell and MWI, so commands executed by these default programs are assumed to be legitimate — and safe.
That’s because fileless malware attacks don’t trigger the traditional red flags or whitelists — they look like a program that’s supposed to be running.
This can be tricky for companies. You can’t ban employees from using these programs as you could with other potentially malicious programs, because they’re often integrated into daily operations.
Here’s an example of how malicious PowerShell can bypass detection. PowerShell has a highly trusted signature that won’t raise red flags. The malware slips through security scans because it’s loaded directly through system memory and can have free reign over the operating system.
Script-based techniques may not be completely fileless, but they can be hard to detect.
Two examples are SamSam ransomware and Operation Cobalt Kitty. Both are malware attacks that used techniques of common fileless malware attacks (described above).
SamSam is considered semi-fileless. While files are used, the payload cannot be analyzed without the initial script. That’s because the ransomware payload is run-time decrypted, which makes finding a sample of the payload code elusive. The only way to capture a sample to analyze is to witness the attack while it happens.
SamSam is constantly evolving, which makes attacks like these challenging to detect and protect against.
Plus, SamSam requires its creator’s involvement to enter a password. That means it can’t spread automatically like other malware. The creator must enter their password for the payload, or the code for disk decryption, to run. This makes it unique in its use for single-purpose, targeted attacks.
Operation Cobalt Kitty
Operation Cobalt Kitty is an example of a fileless attack that used malicious PowerShell to target an Asian corporation for almost 6 months. A spear-phishing email was used to infiltrate more than 40 PCs and servers.
Possible ways to protect an organization against fileless malware, and what to look out for
There isn’t a simple, updated virus definition file or all-encompassing antivirus tool to guard against fileless malware attacks.
Legacy antivirus solutions, once relied upon, no longer get the job done. Next-generation endpoint security solutions are being developed and will need to be implemented.
These so-called Endpoint detection and response (EDR) solutions rely on continuous, real-time monitoring of phishing emails, incoming and outgoing network traffic, and unwanted tasks in operations like WMI and PowerShell.
These fileless attacks often rely on human vulnerability, which means user and system behavior analysis and detection will be central to security. Key best practices on an individual level include:
- Being careful when downloading and installing applications.
- Keeping up-to-date with security patches and software applications.
- Updating browsers.
- Watching out for phishing emails.
In addition to behavior analysis, security solutions will include memory analysis and protection, along with intelligence sharing.
Streaming technology and endpoint security will include monitoring how one individual event leads to another. In this way, security researchers can try to figure out what triggered the event from the beginning.
This approach relies on the cloud because of the high volume of data created. From there, various techniques can be used to look at these event streams, determine risks, and formulate prevention policies to block future attacks.
So even though fileless malware is “fileless,” it’s not completely immune to being analyzed. It requires complex techniques to figure out how cybercriminals executed the malware.
The good news? Those techniques will continue to be developed to potentially help address fileless malware attacks.
Cyber threats have evolved, and so have we.
Comprehensive protection from the ever-changing threats to your connected world. NortonTM 360 with LifeLockTM
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Norton by Symantec is now Norton LifeLock. LifeLock™ identity theft protection is not available in all countries.
Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec logo, the Checkmark logo, Norton, Norton by Symantec, LifeLock and the LockMan logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the United States and other countries. App Store is a service mark of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution Licence. Other names may be trademarks of their respective owners.