Over the past year, the IT security industry has seen a relevant increase of a rather new kind of malware: fileless malware attacks.
The term is colloquial used for different, but similar concepts. „Fileless malware” rather stands for an idea than for its realization.
How is fileless malware characterized?
Whereas “normal” malware will infiltrate the system loading external malicious code, fileless attacks will use a completely different approach. It is explicitly avoided to download further executables that might be detected by common data and signature-based antivirus programs. Fileless malware tries to perform its actions without storing malicious code – hence the name “fileless”. Usually it uses existing system resources, e.g. admin-tools like Microsoft PowerShell or script languages like Visual Basic, Bash or Python.
What is part of this malware class?
One key element of fileless malware attacks is moving without leaving verifiable tracks. An infection might only be implemented in the memory, masked as a common process, but not on the hard drive. Memory-oriented attacks like non-malware attacks, zero-footprint-attacks and, in the broadest sense, macro-attacks are part of the fileless malware class. The common goal of its tactic is to stay undetected from the security check of downloads and write operations.
What are the implications of these tactics?
All systems can be affected – Windows as well as unix-based, all using different admin-tools. Due to the multilevel exploitation of these tools, it is hard to distinguish between actions that are required (e.g. for system management) or that are unwanted (and potentially harmful). Here, multilevel means that the first steps of the actions do not seem suspicious, but the interlinking of different tasks will pose a security threat.
Only being located in the RAM most of the time, fileless malware makes a hard time for forensic investigations. Usually, any evidence is gone as soon as the system is restarted or shut down.
How does fileless malware come across?
Very often, fileless malware attacks start with phishing campaigns, tempting their victims to click a link. “Emotet” or “Kovter” are wellknown examples. Other attacks start when browsing an infected Website.
Another tactic is the multilevel interlinking of various steps – e.g. using MS Office Makro, Visual Basic Script and finally PowerShell – that will delayed perform malicious routines. As long as possible, there will only be very inconspicuous actions. Some versions work “fileless” for the whole time of operation and will only write persistent files in the very last moment before the system shuts down.
How to track fileless malware?
Mere screenings of signatures, downloads and writing processes will not unmask fileless attacks. For detection, the system needs to be able to recognize abnormal or changed behaviour of processes. Certain behaviours like executing or accepting shell commands, changing network traffic, or changing user privileges need to be assembled and evaluated in context.
Other indicators like deleting log files to cover up tracks might be relevant for identify fileless or non-malware attacks. Detection is not about single elements but the whole picture.
What do fileless attacks aim at?
Usually, fileless malware comes with targeted attacks, aiming at company networks. However, individual adaptations are easily implemented and the rising supply of exploits-as-a-service in Darknet empowers even technically inexperienced criminals to run attacks.
To be on the safe side, users and security providers need to see and consider current trends and techniques. IKARUS will be happy to advise you on current developments, different approaches and efficient solutions.
Security tips for users and admins:
• Close security gaps: always keep software up-to-date
• Use firewall
• Deactivate PowerShell
• „Principle of least privilege“: never work with admin accounts and only grant users minimum permissions
• Forego scripting languages wherever possible
• Only use macros when and where needed
• Shut down devices when not in use
• Secure web and email gateways in addition to local virus protection
• Never click suspicious link or open unknown or unexpected files
• Back up data on external storage and regularly check for integrity and recoverability
• When in doubt, ask your admin or the IKARUS Support Team for advice