Fileless Malware

What are fileless malware? 

Unlike traditional malware which leaves behind a trace after its execution, fileless malware does not leave behind an indication of an infection, causing the malware to be very difficult to detect, contain and remove.    

Instead, the malware is written into the computer’s memory and for the threat actor, this is very advantageous as: 

• There is no file to be detected by a traditional anti-virus software. 
• Traces of the infection in the hardware cannot be detected by forensics.  

Threat actors are becoming increasingly aware of the improved methods utilised by organisations to protect their networks and assets. The most effective hacking methods tend to be the most recent ones and so far, fileless malware have been successful in bypassing every security solution minus the most advanced ones.  

Fileless malware are typically undetectable by antivirus software, whitelisting and other classic endpoint security platforms.  

How are fileless malwares conducted? 

Although fileless malware is not regarded as a traditional malware, it infects the targeted device in a similar method, by operating in memory. The malware is not installed directly upon the machine and instead targets the device memory without affecting the hard drive. Such attacks with low observable characteristics tend to take advantage of Microsoft Windows PowerShell, a tool which is utilised by administrators for configuration and task automation purposes. PowerShell is equipped with a command-line shell and similar scripts, enabling criminals to gain access to everything in Windows.  

In some cases, the malicious code can be embedded onto a hard disk but not the affected computer, for example infected UBS devices that gathers information about the targeted device which is written onto the USB device. 

Steps involved in a typical fileless malware attack: 

1. Target clicks the provided spam link or attachment. 
2. Website loads flash which initiates the attack. 
3. Shellcode opens PowerShell to perform payload in memory. 
4. Download, in-memory execution and loading of code. Payload then causes intended damage.  
5. Auto start to enforce command line shell. 

Fileless malware typically occur in a lateral manner, they resume to the next device continuously with the aim of gaining access rights to data stored in the organisation’s system. Detection is often avoided by attaching themselves into whitelisted applications such as PowerShell and other programs which execute scripts or the operating system, abusing the trust model as these programs are not typically monitored by security programs.  

In this case, hackers do not need to waste time in order to bypass anti-virus software. Command line attacks typically go undetected by automated sensors and only trained analysts are able to detect these malicious scripts. 

Uses of fileless malware 

Fileless malware can be used by an attacker as a dropper for more complex malwares such as ransomware and in addition to this, other uses include: 

• Gaining primary access by exploiting an underlying vulnerability. 
• Stealing credentials to enable the attacker to use different points for access to the system or to increase their user privilege. 
• Creating a backdoor access to the infected device. 
• Exfiltrating data  
• Enforcing dropper downloads which start other malware which may be introduced as a maliciously coded file or read from a remote server and deployed directly into memory.   

Detecting and defending against fileless malware 

Adopting an anti-malware software which includes the use of behavioural analysis will help your organisation detect a fileless malware threat. It will also be beneficial to have in place an SIEM platform (security information event management) to combine all alerts. In order to detect this form of malware, rather than focusing on identifying malicious files, detection of unusual and suspicious behaviour should be focused on.   

A method of defence against this malware is to make sure that your organisation’s system is up to date including all Microsoft applications and Windows Defender package to detect unusual activity from PowerShell. 

It is also beneficial for your organisation to implement a multi-layered defence solution to examine the before, during and after of an attack.  

Regular monitoring of actions in PowerShell or other scripting software will be beneficial and in the case that your organisation become infected by a fileless malware, your organisation’s network needs to be prepared to be halted in order to manage the infection. 

What Securiwiser can help you with 

We aim to provide our clients advice concerning implementation of various specific cyber security methods, some of which will be more suitable than others depending on the business type to help ensure the cyber health of our client’s system.  

We advise our clients (whether they are individual users or business owners) regarding various cyber threats that their businesses and operating systems may face. This includes increasing trends of certain threats and prevention methods that are cost effective and time saving.   

Furthermore, business owners, employees and general users may forget to conduct regular scans to monitor the health of their operating system, which criminals can take advantage of to gain unauthorised access by exploiting unrecognised, underlying vulnerabilities.   

Securiwiser can conduct regular scans for your system and provide a detailed cybersecurity risk assessment and a cybersecurity vulnerability assessment. We can further explain detected vulnerabilities and risks in detail to our clients and provide the best course of action that will save your business time and money.