At the turn of the decade, security measures keep getting better by the day. The rate of detection, blocking both malware and cyber-attacks, has gotten better. In response to the defenses of the cyber ecosystem, cybercriminals have continued to develop new methods to evade detection. Unfortunately, for a lot of organizations and end-users, these new techniques involve fileless attacks which are hard to track.
So what is a Fileless Attack?
A Fileless attack is different from the traditional malware attack since it doesn’t need to install malicious software into the victim’s system, instead, it takes advantage of existing vulnerabilities of one’s machine. These vulnerabilities exist on the system’s RAM and utilize’s common system tools to infect trusted processes such as javaw.exe or iexplore.exe by injecting them with malicious code to execute an attack.
Since a fileless malware does not require downloading a file from any source, it is difficult to prevent, detect and remove the malware. However, if the system is rebooted it can halt the progress of the malware because the RAM only keeps its data when the system is turned on and in use. Consequently, once the system is turned off, the infection is no longer live and active. Saying that, threat actors can still use the same vulnerability to exploit the system and steal data or install any other form of malware.
This Fileless malware is also known as non-malware, zero-footprint, or macro attack.
What characteristics does a Fileless malware exhibit?
- A Fileless malware does not have an identifiable signature or code which would allow a traditional antivirus to detect it. Neither does it have any particular behavior that can be tracked. Consequently, heuristic scanners are unable to detect it.
- Since it exploits the memories that are resident on the system’s RAM, it is also called as memory-based malware.
- To carry out an attack, it uses processes that are native to the operating system which is being used.
- It can be paired with other kinds of malware.
- The malware takes advantage of approved applications that are already installed on the system. It can circumvent application whitelisting, a process that allows only approved applications to be installed and used on a certain system.
How does the Fileless Malware work?
Various techniques can be implemented to execute a Fileless attack. For example, clicking on an advert or a banner that leads a user to a legitimate-looking flash website that is riddled with vulnerabilities. Flash employs the Windows PowerShell tool to execute the command using the command line while it is still running in the memory. The malicious code is then downloaded from a botnet or a compromised server and is executed by the PowerShell.
Who are the most common preys to a Fileless attack?
Most of the victims of a Fileless attack have been reported to come from the financial sector. So far it has been reported that a fileless malware has breached over 140 banks and financial institutions across more than 40 countries.
According to the Ponemon Institute, the malware deploying technique is on the rise with a success rate of over 70%. Due to its complexity and high success rate, some criminals are also offering Fileless malware as a service.
Signs and Symptoms of a Fileless Attack –
While there are no new files installed or any specific signs but there are some warning signs to watch out for. One of them being, unusual network patterns and traces which connects the computer to unknown botnets or servers. A compromised system memory along with other artifacts from the execution of the malicious code is another symptom to look out for.
Protection against the Fileless Attack –
To limit the exposure in case, a system is infected or to avoid getting infected altogether, the below precautions should be followed.
- Keeping the installed software patches updated.
- Adopting the best practices for securing and using PowerShell.
- Disabling services and programs that are no longer in use.
- Uninstalling applications that are no longer of use.
- Having a potent endpoint security solution and securing each of the devices to protect the network. The devices include various remote and mobile devices.
- Restricting privileges to an admin user and granting only necessary privileges to other users which are necessary to do their jobs.
- Constantly monitoring network activity and security logs.
- Educating end users on connecting to the internet securely, while providing them with various security training.
- Changing passwords once the infection is detected and the system is disinfected.
The Fileless attack places a lot of value on stealth to carry out an attack rather than persistence, through the flexibility of attack it provides by allowing it to pair with another malware. These memory-based attacks have been more successful than any file-based malware. Organizations should create a strategy, which should include endpoint security solutions and employee training to battle against such threats.
To read more, please check eScan Blog
