Fileless malware is a type of malicious software that does not rely on virus-laden files to infect a host. Instead, it exploits applications that are commonly used for legitimate and justified activity to execute malicious code in resident memory.
How Fileless Malware Works
Fileless malware attacks, also known as non-malware attacks, use existing vulnerabilities to infect a system. When using fileless malware, an attacker takes advantage of vulnerable software that is already installed on a computer to infiltrate, take control and carry out their attack. Unlike traditional malware, fileless malware does not need to install or download malicious software to infect the victim’s machine. Instead, the malware uses a system’s own files and services to give an attacker access to a device. Once into the system, the attacker can gain access to native operating systems such as Windows PowerShell and Windows Management Instrumentation (WMI) to carry out their malicious activity. Because many security technologies trust these utilities, malicious activity can easily remain undetected as analysts assume most of the actions are legitimate.
Fileless malware exists only in a computer’s random-access memory (RAM) meaning that nothing is ever written directly to the hard drive. This makes it more difficult to detect as there are no stored files for defensive security software to scan. It also leaves little forensic evidence for security teams to investigate after identifying a breach. However, because fileless malware runs in a computer’s RAM and is never permanently saved to a hard drive, attackers have a smaller window of opportunity to execute the attack. Once a system is rebooted, an attack using fileless malware must also be reinitiated.
Fileless Malware Key Targets
Attackers who use fileless malware techniques are looking to gather as much information as they can in a short amount of time and tend to focus their attacks on a few main targets. PowerShell and Windows Management Instrumentations (WMI) are two such targets that come up very often. Hackers choose these two systems because many security technologies trust these utilities and analysts assume most of the actions are legitimate, making it easier for malicious activity to remain undetected. These utilities also provide complete control over an endpoint, making it easier to spread malicious code across the network. Additionally, most organizations do not want to shut down these systems for fear that it will hinder business-justified IT or DevOps work. This therefore allows malicious attackers to stay within the systems for a significant amount of time.
Fileless Malware in Action
The earliest known usage of fileless malware dates back to around 2001 with the emergence of a computer known as Code Red, which used a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) to write commands to a server’s working memory.
Other notable fileless malware attacks include:
- SQL Slammer – an attack in 2003 which exploited a vulnerability in Microsoft SQL servers
- Stuxnet – an extremely sophisticated worm that was first uncovered in 2010, but may have been in development since 2005, designed to infect physical systems related to nuclear enrichment.
- UIWIX – a threat uncovered in 2017 that exploited the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry, but was fileless.
Why Attackers Choose Fileless Malware
Fileless attacks are not new, but they are becoming more common. The largest data breach in 2017 — the Equifax data breach — was a fileless attack. Attackers were able to exploit a vulnerability in the company’s unpatched version of Apache Struts and use it to execute malicious commands.
Seventy-seven percent of all breaches in 2017 utilized fileless techniques, according to a Ponemon Institute study1. The report estimates that fileless attacks are ten times more likely to succeed than file-based attacks. Attackers are increasingly using fileless malware because it allows them to:
- Remain undetected for longer periods of time since traditional anti-virus software is not effective in detecting fileless attacks.
- Exploit a vulnerability that will give them administrator access and complete control of a system.
- Gather data from their target to be used for later attacks.
Fileless Malware and How to Detect It
Malware-based attacks are noisy and therefore easier to detect and respond to, and the days where defensive security solutions could easily spot these signature-based threats are behind us. Realizing this, attackers have responded by evolving to techniques that rely on tools that already exist within the environment, abusing insider credentials or using SSL tunnels to legitimate sites for command and control. This means that security teams must now detect malicious intent that blends with business-justified activity, a task that is both tedious and challenging for most analysts.
The shortage of knowledgeable professionals with the cybersecurity skills needed to find these new and evolving threats is giving rise to a new generation of security products. These products must embody some of that human expertise into software.
Awake’s approach is to deliver a platform that filters out the noise by allowing of-the-moment “skills” development to tackle new security problems as they emerge. This way, a system can easily learn the skills needed to detect and respond to threats such as new forms of fileless malware—rather than overhauling the entire toolbelt to chase the latest threat. As Awake ingests and analyzes every packet that crosses the network, skills take the form of questions security teams ask of the data, and the real-time answers the platform provides. The questions make it trivial for Awake security researchers and customers alike to express attacker tactics and then have the system automate the hunt for those tactics.
- Threat Hunting, What’s it Good For? (Part 1)
- 7 Habits of Highly Effective Security Teams White Paper
- SANS 2018 Security Operations Center Survey – White Paper
1 The 2017 State of Endpoint Security Risk, Ponemon Institute