The rising threat of fileless malware
Threat actors are increasing their use of fileless malware for one simple reason: most organizations aren’t prepared to detect it. Education is the first step in determining what threat these new attacks pose and what you can do to detect and stop fileless malware attacks.
Fileless malware is a significant and increasing threat. While awareness of that fact is growing, there’s still confusion among security practitioners and vendors about the nature of the threat and the requirements for a successful defense strategy.
Part of that confusion is because of most of the security methods, solutions and routines used to detect and prevent cyber security threats remain firmly grounded in addressing file-based attacks. As with any new type of cyber threat, many security-focused professionals need a point of reference, or newsworthy attack, as their driver for altering, updating or replacing their current security workflows.
The goal of every security organization is not to be the first victim of that attack.
A recent survey by Ponemon, the 2017 State of Endpoint Security Risk, showed that fileless attacks rose, as a percent of all malware attacks, from 20% in 2016 to 29% in 2017. It estimated that in 2018, fileless attacks would rise to 35%. Of the 54% of respondents that indicated they were compromised by at least one attack, 77% said those successful
breaches were from fileless attacks.
The goal of this post is to empower you, the security professional, with the knowledge you can use to better understand, prepare for and detect fileless threats. In time, fileless malware threats will be commonplace. Educating yourself early can significantly enhance your security readiness today for better security tomorrow.
Understanding File-based vs. Fileless Attacks
True fileless attacks exploit the target system without any file being resident. The entirety of the attack occurs in memory, leaving no trace of the attack on the file system. These attacks have been used in the delivery of all types of malicious content. To date, fileless attacks primarily focus on the exploitation of web browsers and their plug-ins.
These payloads may exhibit full memory-residence and use PowerShell for reconnaissance and lateral movement. Combining advanced fileless attack techniques with memory-resident malware and living-of-the-land methods represents major challenges for traditional defensive techniques at both the network and host level.
Once the target is compromised, fileless attacks typically load their malicious payloads into already running system processes, where they can operate invisibly until the system is powered down or rebooted. In most cases, fileless malware operates exclusively in RAM and leaves no artifacts for post-event forensic analysis. However, other fileless strains attempt to achieve persistence by writing files to hidden directories or by modifying the operating system registry.
Fileless attacks are often used as the initial vector for entering a system, disabling or circumventing tools used to detect more malicious file-based attacks. Once completed, these fileless attacks may move to a new stage which utilizes file-based methods. Thus, tools created to detect file-based attacks might incorrectly report that the initial attack was file-based if they catch the attack at all.
There is some confusion about what is and isn’t a fileless attack. Attacks should not be characterized as fileless if critical phases are transported within a file, such as a Word or Excel document containing a malicious macro or a zip file containing malicious code.
File-based threats like these are commonly associated with phishing exploits and weaponized attachments, which cannot infect a host unless the file is opened by an unwary user. The resulting malware may operate entirely in RAM or write and modify system files to achieve persistence or to compromise system resources. Some of these attacks may also leverage common system utilities, such as PowerShell, to move laterally within an organization without leaving evidence on the host file system.
These file-based attacks are sometimes miscategorized as fileless attacks because they do not produce files on the victim’s machine. However, they are better categorized as memory-resident malware or living-of-the-land attacks.
Traditional Host- and Network-Based Defence Strategies
There is a range of different defenses that organizations have adopted to protect their networks from malicious attacks. These include signature-based solutions including anti-virus (AV) and firewalls, file sandboxes, host-based systems and anomaly detection. Many of these were designed to detect files or traditional threat attributes. Therefore, most don’t work against fileless attacks, and others only provide a partial or after-the-fact solution.
This section goes into detail about each of these types of defense and the capabilities and limitations of each. These solutions generally use a combination of signatures for files, called hashes, and URLs or IPs of known malicious or compromised systems. Fileless malware is designed to bypass these traditional defenses.
First, the lack of an actual file bypasses file signature-based detection as there is no file on which to base a signature. Therefore, even once the attack becomes known, it still bypasses signature-based detection. Second, attackers utilize different registered and compromised points as the location to start their attack, bypassing the value of IP or URL
This means the exact same attack can bypass these defenses again and again, just by changing the point of origin
Four Common Defence Solutions (Why They Fail Against Fileless Attacks)
Anti-virus was designed to detect malicious, known threats through signatures. Fileless malware has no file to compare a signature to, and fileless attacks do not conform to a given signature. This combination allows fileless malware to slip right past AV detection.
Sandboxes are often included in traditional defenses as a second Line for detecting threats missed by signatures. However, sandboxes are not effective against fileless attacks because they are only sent suspicious files. Since fileless attacks don’t have files, there is nothing to send for analysis.
Behavior-based heuristics and unsupervised machine learning
These technologies can be effective at detecting anomalous behavior in systems that have already been compromised. However, these approaches generally fail to prevent the initial compromise and require significant abnormal activity in order to detect a breach.
Part of the failing of these systems is that fileless attacks are designed to look like normal traffic, so they often don’t show up as an anomaly. The detections from these solutions can also be lost in the noise as they alert on all abnormal activity. The abnormal activity could be someone shopping for their spouse’s birthday on a company computer, the introduction of a new process or tool, or even a new hire.
This strategy relies on host-based defenses to protect the infrastructure. Many of these host solutions have started adding methods to detect fileless malware, but they have serious limitations:
- Only work on systems that have them loaded. Systems without a host-based solution are vulnerable. Many assets do not support host-based products or are often overlooked, including network infrastructure like switches, cloud-based resources, mobile, and IoT, all of which may have access to corporate information.
- Impact system performance, which means an impact on user productivity. This can often drive end users to turn off their security systems entirely.
- Many fileless attacks utilize standard system protocols to exploit systems. These are designed explicitly to bypass host-based protections.
- Management on all endpoints in an environment can mean managing thousands or even tens of thousands of devices.
Challenges to Finding Fileless Attacks
Without signatures to detect fileless malware attacks, security systems fail to find these critical attack vectors early enough in the kill chain to prevent damage. Detecting fileless malware requires a very different kind of defense strategy. There are five major challenges that a solution needs to address in order to detect fileless attacks:
- Environment: Analysing fileless code in an OS-agnostic method. Malicious attacks are often designed to operate on a specific OS and product patch level configuration. For example, the attack might require a specific version of Windows and that Firefox is installed, both at a specific patch level.
- This specificity is one method by which attackers can target individual systems and avoid detection by sandboxes or other environment-restricted defenses.
- Obfuscation: Identifying and recovering concealed and obfuscated code for analysis. Fileless exploits often attempt to conceal malware code using obfuscation techniques such as XOR or string encoding. The true intent of a script will not become visible unless the targeted execution environment includes the software components the malware is designed to compromise. Exploit kits typically target a limited set of execution environments, so malware may self-terminate if they encounter an incompatible system.
- Analysis: Determining what the recovered code can do if executed and whether these are benign operations or typical of malicious intent. Many benign applications and processes use scripts. These same scripts write cookies and perform other operations which involve making changes to the host. This is the same for other types of scripts and methods used by fileless Distinguishing these normal operations from malicious ones is the core of fileless detection.
- Real Time: Detecting threats in real time, not minutes, hours, or days after the compromise. Post-processing systems are designed to look for malicious activity after the event. These include sandboxes and anomaly detection. While these may eventually find the threat, they often don’t discover the attack until one or more systems have already been compromised.
Solutions to the Challenge of Fileless Malware
Finding fileless malware before the breach is not a simple task. A solution must be capable of detecting fileless malware regardless of OS, handle code obfuscation, operate at network speed, perform true analysis of the code, and do all of this in real time. Let’s take a second look at these five challenges while defining the requirements necessary to address them.
- While files and executables are often OS-dependent, scripting languages are designed to be cross-platform. This capability is what fileless malware provider’s use as their method of targeting a range of hosts, servers and network devices. Scripts can be part of standard network traffic, included in emails or embedded in files. Solutions must be capable of detecting and extracting any scripts from the network traffic in order to protect against these cross-platform threats.
- Unconcealed fileless attacks are in the minority as obfuscation techniques are common and easy to apply. Another capability required by solutions for fileless malware is the ability to detect when obfuscation is present, to remove that obfuscation and to understand the intent beneath. As there are many methods of obfuscation, this capability can’t be limited to a single method of obfuscation. If the code is capable of being executed at the endpoint, or if it can be run in conjunction with code at the endpoint, it needs to be deciphered and analyzed before it executes and infects the target.
- Any solution needs to operate at the same speed as the network that it is protecting. Any solution that only handles a percentage of the traffic that it inspects can potentially miss fileless attacks. Fileless malware solutions must be capable of analyzing all network traffic (including email).
- As malware actors sell their successful attack tools on the black market, techniques to hide malicious activity are becoming more ubiquitous. Also, the practice of sandbox evasion has become common, as attackers discover methods to avoid standard evaluation via execution. Solutions must include methods that look at all the execution paths and options of code in order to find the malicious code hidden among the benign.
- Real Time. Some solutions find attacks after the point of compromise. Those solutions are focused on limiting, not eliminating, the damage and expense caused by a compromise. The issue with solutions focused on this strategy is that they start from the assumption of failure and try to limit the hemorrhage of money and reputation. Solutions should combine detection of fileless threats before the point of compromise with detection of compromised systems to truly limit the impact to the organization.
Contact Musato Technologies to learn more about our ICT services that drive your business performance and productivity. An article published by Blue Vector