Fileless Malware may be a new term for most but the security industry has known it for years. Earlier this year over 140 enterprises worldwide were hit with this Fileless Malware – including banks, telecoms, and government organizations. Fileless Malware, as the name explains is a kind of malware which doesn’t use any files in the process. However, some security firms claim that the fileless attack leaves a small binary in the compromising host to initiate the malware attack. Such attacks have seen a significant rise in last few years and they are riskier than the traditional malware attacks.
Fileless Malware attacks
Fileless Malware attaks also known as Non-Malware attacks. They use a typical set of techniques to get into your systems without using any detectable malware file. In past few years, the attackers have become smarter and have developed many different ways to launch the attack.
Fileless malware infects the computers leaving behind no file on the local hard drive, sidestepping the traditional security and forensics tools.
What’s unique about this attack, is the usage of a piece sophisticated malicious software, that managed to reside purely in the memory of a compromised machine, without leaving a trace on the machine’s file system. Fileless malware allows attackers to evade detection from most end-point security solutions which are based on static files analysis (Anti-Viruses). The latest advancement in Fileless malware shows the developers focus shifted from disguising the network operations to avoiding detection during the execution of lateral movement inside the victim’s infrastructure, says Microsoft.
The fileless malware resides in the Random Access Memory of your computer system and no antivirus program inspects the memory directly – so it is the safest mode for the attackers to intrude in your PC and steal all your data. Even the best antivirus programs sometimes miss the malware running in the memory.
Some of the recent Fileless Malware infections that have infected computer systems worldwide are – Kovter, USB Thief, PowerSniff, Poweliks, PhaseBot, Duqu2, etc.
How does Fileless Malware work
The fileless malware when it lands into the Memory can deploy your native and system administrative Windows built-in tools like PowerShell, SC.exe, and netsh.exe to run the malicious code and get the admin access to your system, so as to carry out the commands and steal your data. Fileless Malware sometime may also hide in Rootkits or the Registry of the Windows operating system.
Once in, the attackers use the Windows Thumbnail cache to hide the malware mechanism. However, the malware still needs a static binary to enter the host PC and email is the most common medium used for the same. When the user clicks on the malicious attachment, it writes an encrypted payload file in the Windows Registry.
Fileless Malware is also known to use tools like Mimikatz and Metaspoilt to inject the code into your PC’s memory and read the data stored there. These tools help the attackers to intrude deeper into your PC and steal all your data.
Behavioral analytics and Fileless malware
Since most of the regular antivirus programs use signatures to identify a malware file, the fileless malware is hard to detect. Thus, the security firms use behavioral analytics to detect the malware. This new security solution is designed to tackle the previous attacks and behavior of the users and computers. Any abnormal behavior which points to malicious content is then notified with alerts.
When no endpoint solution can detect the fileless malware, behavioral analytics detects any anomalous behavior such as suspicious login activity, unusual working hours or use of any atypical resource. This security solution captures the event data during the sessions where users use any application, browse a website, play games, interacts on social media etc.
Fileless malware will only become smarter and more common. Regular signature-based techniques and tools will have a harder time to discover this complex, stealth-oriented type of malware says Microsoft.
How to protect against & detect Fileless Malware
Follow the basic precautions to secure your Windows computer:
- Apply all the latest Windows Updates – especially the security updates to your operating system.
- Make sure that all your installed software is patched and updated to their latest versions
- Use a good security product that can efficiently scan your computers memory and also block malicious web pages that may be hosting Exploits.
- Be careful before downloading any email attachments. This is to avoid downloading of the payload.
- Use a strong Firewall that lets you effectively control Network traffic.
If you need to read more on this topic, head over to Microsoft and check out this whitepaper by McAfee too.