Fending Off the Growing Challenge of Fileless Malware
 

The growing complexity of malware represents enormous challenges for organizations. One of the most vexing problems is malware that resides in memory only — so-called fileless malware. This type relies on a variety of techniques to avoid detection, including hiding in legitimate binary code, shell code, or scripts.

Also commonly referred to as “living off the land” (LotL), the attack method targets host systems with executables that download, install, and execute malicious code. According to Ponemon Institute, fileless attacks represented about 20% of all attacks in 2016 but now account for about 50% of malware attacks.[1] A separate study reported that fileless malware attacks surged by 888% over a one-year span ending in 2020.[2]

Fileless malware gains privileges by appearing legitimate. It uses a system’s built-in tools to execute a cyberattack. Because it resides in memory and operates like legitimate code — using Windows PowerShell and Windows Management Instrumentation (WMI) — typical malware detection tools miss it. Once fileless malware gains a greater foothold in a system, it can move laterally through a network.

Eradicating fileless malware is extremely difficult. As a result, it’s critical to remove or shut off software components that aren’t being used, since these are prime targets for LoTL exploits. 

There’s also a need for a strong detection and prevention framework, including tools such as Mimecast Email Security & Resilience, to block malicious code from entering and limit its lateral spread. The longer this type of malware remains active in a network, the greater the risk — and the greater the difficulty eradicating it.

How LoTL Works and Why Vigilance Is Critical

Fileless malware relies on legitimate software components to launch an attack. In fact, it may disguise itself as actual signature-based antivirus and intrusion detection tools. Typical targets include:

• PowerShell, which is used for Windows and .NET management for administrative tasks.
• PsExec, a telnet-replacement used for remote system management.
• BITSAdmin, which helps coordinate file transfers, including uploads and downloads.
• Regsvr32.exe, which manages objects and embedded controls, including dynamic link libraries (DLLs).
• Wmic.exe, a native Windows utility that automates tasks and manages remote management systems.

The default settings for the Windows operating system typically introduce vulnerabilities. In many cases, these components deliver administrative capabilities and features that organizations or groups don’t need or require.

Attackers use various techniques to launch an assault, including phishing methods, DLL hijacking, drive-by downloads, process dumping, bypassing UAC keylogging, code compiling, log evasion, and code execution. 

Once inside a system or network, invaders rely on various and continually evolving means of attack. In recent times, these have included fileless Trojans like Astaroth,[3] scripting malware,[4] and different methods to create backdoors.[5] Attackers have also been known to use malware variants like DarkWatchman, Panda Stealer, BitRAT, and AveMariaRAT.

Typically, an LotL attack has four distinct stages:

• The attackers enter a system through a script, shell, or binary.
• They alter credentials to gain broader and deeper access.
• They introduce backdoors to the environment so that they can return without repeating earlier steps.
• Finally, they exfiltrate data or plant more conventional malware payloads such as ransomware. 

An LotL attack can unfold over weeks or even months — as attackers manipulate files, encrypt documents from trusted processes, and engage in other detrimental activities.

The Risks Are Significant and Growing

While early versions of LoTL introduced payloads that were more a nuisance than any real threat, fileless malware now represents a grave risk. Using LotL, attackers can gain access to numerous processes and alter software code, using common scripting languages such as Python, Perl, and C++. Attacks such as a major credit agency breach in 2017[6] and a headline-making U.S. political party exploit in 2016[7] involved LotL attack methods.

Further complicating things, exploit toolkits that automate processes and generate new types of malware have emerged over the last few years. Attackers also use legitimate security tools such as PowerSploit[8] and Metasploit,[9] which can be misused to generate malware and different attack methods. And, in some cases, victims are tricked into downloading legitimate security tools, such as Cobalt Strike and SilentBreak, that aid attackers.[10] In fact, cybercriminals often rely on a combination of methods to unleash an LotL attack. This may include exploit kits, hijacked legitimate tools, and malware that can be planted in memory or a registry. 

Steps to Reduce the Risks of Fileless Malware

Because conventional antivirus and endpoint security tools aren’t equipped to spot LotL attacks, organizations must develop a more advanced security framework. The best approach revolves around zero trust policies and robust multi-layered defense structures. There are three primary components:

• Analyze your current security framework. A first step is to ensure that your organization has undergone a thorough review of administrative rights and privileges — and adjusted settings for least privileged access. In addition, any unneeded or unnecessary components should be switched off or removed — and core systems should be patched to ensure that they reflect the latest security updates.
• Put the right security tools to work. It’s also vital to use strong authentication and identity management, including multi-factor authentication (MFA). Point security tools reduce specific risks such as email-borne malware. Also, consider using machine learning (ML), artificial intelligence (AI), and emerging behavioral monitoring to spot anomalous activity, including changes to the network. There are also emerging memory scanning tools to keep an eye on.[11]
• Educate and train staff. Cybersecurity awareness training is also important. Employees must understand how to spot suspicious emails and understand the risks associated with clicking on bad links.

While there’s no single way to thwart fileless malware and LotL attacks, a holistic security framework can minimize the risks.

The Bottom Line

“Living off the land” attacks represent a serious threat to businesses, educational institutions, government agencies, and others. The stealthy nature of these attacks makes them difficult to spot and stop. However, a focused security strategy with the right tools and training greatly dials down the risks. Ensure that your organization is doing everything possible to establish a zero trust policy and multi-layered cybersecurity framework. Read how Mimecast’s Email Security & Resilience can help meet this challenge.

[1] “Only in Memory: Fileless Malware – An Elusive TTP,” Center for Internet Security

[2] “Fileless Malware Attacks Surge by 900%,” WatchGuard

[3] “Astaroth,” Mitre

[4] “Powruner,” Mitre

[5] “Poshspy,” Mitre

[6] “How the Equifax hack happened, and what still needs to be done,” CNET

[7] “Mueller report sheds new light on how the Russians hacked the DNC and the Clinton campaign,” TechCrunch

[8] “PowerShellMafia/PowerSploit,” github

[9] “Metasploit,” Rapid7

[10] “China-backed APT41 Hackers Targeted 13 Organizations Worldwide Last Year,” The Hacker News

[11] “AI for Security,” Techwire Asia