With increased cyber threats, there is great awareness of malware that comes attached in files. Individuals and businesses invest in security solutions to protect against malware. In fact, there are often company policies regarding opening attachments on emails; yet there is an increase in a type of threat (though not new), known as the fileless malware.
What is Fileless Malware?
A fileless malware attack is a type of threat that doesn’t involve executable files. Instead, these attacks include scripts that run on browsers, command prompts, Windows PowerShell, Windows Management Instrumentation, VBScripts, or Linux (Python, PERL).
In other words, fileless malware is a form of cyberattack carried out through software that already exists on your device, in your authorized protocols and in applications that you have allowed on your device. As such, fileless malware is becoming a favorite of cybercriminals because they don’t have to look for ways to install malicious files in your device – they only need to take advantage of built-in tools.
Reported examples of fileless malware include PowerGhost, which has been used in crypto-mining and DDoS attacks.
How It Works
First, note that these attacks are termed fileless because they are not file-based; instead, they hide in computer memory.
The malware launches an attack in various ways. For instance, a malicious code is injected in an application already installed or a user clicks on a legitimate-looking link that loads a remote script. Another scenario exists within a legitimate-looking website that a user visits; the attackers exploit vulnerabilities in the Flash plugin; and a malicious code runs in the browser memory of the user’s computer.
While file-based malware uses executable files, the fileless type hides in areas where it can’t easily be detected, such as the memory. It is then written directly to the RAM (and not the disk), where it carries out a series of events. Once in your system, the malware piggybacks on legitimate scripts and executes malicious activities while the legitimate program runs. At this point, it performs malicious activities such as payload delivery, escalating admin privileges, and reconnaissance, among others.
Since it works in-memory (RAM), its operations end when you reboot your system. This makes it more challenging to trace attacks. The fileless malware also may work in cohorts with other attack vectors, such as ransomware.
Detection and prevention
Various security vendors claim to have products that can detect fileless threats, as well as protect endpoint systems. Successful security solutions need to be able to put in place technologies that enable them to inspect different kinds of operating systems storage, as well as analyze in real-time the execution of patterns of processes in a system.
But even so, one thing is certain: traditional anti-malware software will not detect fileless malware because they are not file-based and they do not they leave footprints. Here are some tips that will help mitigate against fileless attacks:
- Regularly update the software on your devices (especially Microsoft applications) to protect against attacks propagated through PowerShell.
- Apply an integrated approach that addresses the entire full threat lifecycle. This is possible when you use a multilayered defense mechanism.
- Use security solutions that can detect malicious attacks against command prompt (CMD), PowerShell, and whitelisted application scripts.
- Use anti-malware tools that include machine learning, as this will limit scripts from creating new polymorphic malware within your environment.
- Practice behavior monitoring to help look out for unusual patterns.
- Use memory scanning to help detect patterns of known threats.
- Be on the lookout for high CPU usage by legitimate processes and suspicious error messages that appear for no clear reason.
- Disable PowerShell and Windows Management Instrumentation (WMI) if you are not utilizing them.
- Avoid using macros that have no digital signatures or turn off macros if not being used.
- Use endpoint detection and response tools.
Final Thoughts
The cyber threat landscape keeps evolving. Every day, there are more sophisticated threats as criminals keep advancing to take on countermeasures that have been implemented.
You should invest in security solutions that mitigate varying classes of threats, especially machine learning technologies. This will help protect against the latest and emerging threats. Also, keep your Windows OS and other installed software up-to-date to reduce the chances of fileless malware attacks.
Despite taking the mentioned measures, it’s important to stay informed of the latest threats and take necessary precautions.