Unlike traditional malware, which relies on a file being written to a disk, fileless malware is intended to be memory resident only, ideally leaving no trace after its execution. The malicious payload exists in the computer’s memory, which means nothing is ever written directly to the hard drive.
For an attacker, fileless malware has two major advantages:
- There is no file for traditional anti-virus software to detect.
- There is nothing on the hard drive for forensics to discover.
As a rule, if malware authors can't avoid detection by security vendors, they at least want to delay it for as long as possible. Which makes fileless malware a step forward in the arms race between malware and security products.
Is fileless malware new?
Fileless malware attacks have been around for 20 years at least. The first malware to be classified as fileless was the Code Red Worm, which ran rampant in 2001, attacking computers running Microsoft's Internet Information Services (IIS).
But in the last few years fileless attacks have become more prevalent. Four years ago, the Ponemon Institute's "The State of Endpoint Security Risk Report," reported that 77 percent of compromised attacks in 2017 were fileless, and that fileless attacks were ten times more likely to succeed. We noted the trend ourselves, with an overview of fileless attacks in 2018.
How is fileless malware delivered?
In the case of the Code Red Worm, the malware exploited a buffer overflow vulnerability that allowed it to write itself directly into memory. Modern ransomware attacks sometimes rely on PowerShell commands that execute code stored on public websites like Pastebin or GitHub.
Fileless malware attacks have also been seen hiding their code inside existing benign files or invisible registry keys. Some use the so-called CactusTorch framework in a malicious document. And sometimes the malicious code does exist on a hard disk, just not on the one that belongs to the affected computer. For example, "USB thief" resides on infected USB devices installed as a plugin in popular portable software. It gathers information on the targeted system and writes that to the USB device.
How to create fileless malware
Our esteemed colleague Vasilios Hioureas has written a walk-through by demonstrating some of his own fileless malware attacks. His write-up also nicely demonstrates what modern anti-malware solutions need to do to protect their users against fileless malware attacks. Showing that modern-day solutions must contain technology to dynamically detect malicious activity on the system rather than simply detecting malicious files. Old-school signature-based detection is useless when dealing with fileless malware.
What can fileless malware do?
In essence, fileless malware can do anything that “regular” malware can do, but for practical reasons you will often see that there is a limited amount of malicious, fileless code. For more complex programs like ransomware, the fileless malware might act as a dropper, which means the first stage downloads and executes the bigger program which is the actual payload. And, of course, fileless malware can use native, legitimate tools built into a system during a cyberattack.
The most common use cases for fileless malware are:
- Initial access. The first step of a cyberattack is to gain a foothold on a system. This can be stealing credentials or exploiting a vulnerability in an access point.
- Harvest credentials. Fileless malware is sometimes used to hunting for credentials, so an attacker can use alternative entry points or elevate their privileges,
- Persistence. To ensure they have permanent access to a compromised system, an attacker might use fileless malware to create a backdoor.
- Data exfiltration. An attacker might use fileless malware to hunt for useful information, such as a victim's network configuration.
- Dropper and/or payload. A dropper downloads and starts other malware (the payload) on a compromised system. The payload may come as a file, or it can be read from a remote server and loaded into memory directly.
Fileless malware detection
So, how can we find these fileless critters? Behavioral analysis and centralized management are key techniques for detecting and stopping fileless malware attacks. Knowing how to identify attacks and having an overview of the attack surface however is easier said than done.
What you need is anti-malware software that uses behavioral analysis, ideally supported by an Artificial Intelligence (AI) component. And for a large attack surface you will need something like a Security Information Event Management (SIEM) system to tie all the alerts and detections together.
In short, detecting malware is no longer a matter of detecting malicious files, but more and more a matter of detecting malicious behavior.
Stay safe, everyone!