Is Fileless Malware the Future? And Can It Be Stopped?

By Pramod Borkar of Exabeam

Yes, and most certainly yes. Fileless malware attacks are on the rise but they can also be stopped.

According to research by the Ponemon Institute, fileless malware attacks accounted for about 35 percent of all cyberattacks in 2018, and they are almost 10 times more likely to succeed than file-based attacks.

Although fileless malware doesn’t yet have the notoriety of ransomware and other attack vectors, fileless attacks nevertheless can pose a major threat—and they’re evolving, according to a 2017 report by Malwarebytes.

But the future is not so bleak: like any threat, fileless malware security threats can be mitigated with the proper understanding and plan for counterattack.

Understanding Fileless Malware Attacks

Unlike other breeds of malware that require the installation of software on a victim’s machine, fileless malware infects a host computer’s dynamic memory, or RAM. Fileless malware attacks can also hijack Windows, essentially turning the power of the OS against its own users by using common tools like PowerShell (which is integrated into Windows 8) for its malicious activities.

Beginning with a phishing email, a visit to a malicious website, or the use of an infected USB flash memory stick, fileless malware scans the machine looking for vulnerabilities—whether it’s unpatched Flash or a Java plug-in, or almost any process that involves PowerShell. The payload then begins executing the attack by using the dynamic memory of the user’s computer, such as leveraging browser processes.

Undetected Threats Waltz Into Your Network

Fileless malware does not write onto your disk. Instead, the malware lurks in memory using hiding places such as PowerShell (widely used by system administrators to automate tasks), Visual Basic (VB) scripts, and Windows Management Instrumentation (WMI). Fileless malware attacks bypass traditional anti-malware programs that typically only scan for malicious files, which are then flagged for removal because there’s no file on a system. Lack of cookie crumbs (aka remnant code) also makes it tough for security teams to analyze the malware behavior later.

In addition, bad actors are equipping fileless malware with new abilities. These not only enable such attacks to evade detection, but their payloads can also deliver advanced infections. One concern for enterprises is that fileless attacks are “borrowing the propagation and anti-forensic techniques seen in the complex nation-state attacks.”

Persistence, Powerful Payloads

Persistence is one area where such added tactics, techniques, and procedures (TTP) are having a greater impact. With potentially many months needed to remediate an attack, imagine how much critical data an attacker could drain from your network during that time.

In one case, hackers used an obfuscated PowerShell infrastructure to drop fileless malware on targeted computers, which in turn fetched payloads from a command-and-control server. This created a very effective advanced persistent threat (APT) that allowed the attackers to operate undetected for half a year, with data being exfiltrated all the while. And because a trusted program executed the commands, security staff, and the tools they used all assumed the commands were legitimate.

One roadblock to their persistence is that fileless malware lives in dynamic memory. In theory, regular system reboots should flush it. But today’s craftier cybercriminals have even devised ways for their code to linger after a reboot.

A Cutting-Edge Fight: UEBA vs. Fileless Malware

Since this evolved breed of malware can evade traditional detection tools and techniques, it’s critical to look beyond the standard checkpoints: signatures, prewritten rules, disk scanning, and the like. Instead, tracking the activity of those having administrator and super user privileges to detect anomalous behavior can yield the most positive results. After all, these account credentials are just as susceptible to being hacked.

Perhaps one such user uncharacteristically accesses different databases or systems in sensitive areas such as HR or finance. That could be an indicator of compromise (IoC). By automatically and swiftly alerting your incident response (IR) team, you could remediate the threat before the damage has been done.

UEBA can monitor user activity as well as the behavior of applications and services. This includes inter-process communications, unauthorized requests to run applications, changes made to credentials or permission levels, and other uncharacteristic behavior.

A new genus of malware has emerged that breaks the rules of traditional detection and defense methods. By infiltrating the systems in manners undetectable to legacy security protocols, fileless malware presents unique challenges to security professionals. UEBA presents the best chance at protecting against such a threat.

Rather than looking for malicious files, user and entity behavior analytics offers the best solution by detecting anomalous behaviors or entities can indicate the presence of malware. Unlike conventional security monitoring tools that scan disks and use signatures or rules, behavioral modeling and machine learning offer the best opportunity to identify anomalous and suspicious user and entity behaviors.

UEBA’s automated, around-the-clock monitoring can alert your security team of a fileless malware attack.

So, yes. Fileless malware attacks are the current future, but it is a future we have the power to prevent through smart, innovative cybersecurity tactics.

Thank you to Pramod Borkar of Exabeam for his time and expertise!