There’s a new threat in town. A new variant of malware has appeared that has turned our general understanding of these types of threats on its head.
And it’s called Fileless malware.
Over the decades, we have all become familiar with terms like a virus and worm, Trojan, spyware, and more recently, ransomware. Malicious software usually manifests itself as one of these broad classifications of malware. And these types of threats work by installing software on our computers, without our consent.
Fileless malware, on the other hand, can infiltrate your PC without any software being installed or written to the hard drive. This makes it one of the most sinister and disguised threats ever seen, and it’s no wonder security companies are having a hard time with it.
Let’s take a detailed look at this new breed of malware that makes Windows turn on itself.
What is Fileless malware?
The simplest definition of fileless malware is that it is malware that uses tools that are already built into the operating system. This means that an attack will appear like a normally running process, thereby making fileless malware hard to spot, as it will leave no traces on your hard drive.
On the Windows side of things, this type of malware tends to target tools like Microsoft PowerShell and Windows Management Instrumentation (WMI). An attack will take over these services, and then load malicious software or execute commands to infect a computer — all the while not involving any malware files, or even coming in contact with the hard drive of the host PC.
Instead, the fileless malware is written directly to the RAM of your machine, and does its deed from the memory. It remains there, causing problem, until the computer is rebooted.
Worse yet, as a user you will not have a clue that anything has happened.
Until it’s too late.
One comparison that can be made here is that fileless malware is akin to a hacker getting direct access to a remote machine. It is, in many ways, identical to the manual hacker approach, only instead of getting access to a device, fileless malware can be executed automatically. In most cases, the exact same tools are used by both these types of attacks.
How does Fileless Malware get on your computer?
Fileless malware usually spreads by phishing emails, malicious downloads and malvertising — the usual. It is often disguised as a Word or Excel file that when clicked delivers malware into the PC memory, infecting it via scripts.
In some cases, this type of malware can be hosted on a website. Unsuspecting users are tricked by these websites that look for vulnerabilities in the Flash plugin, for example. This allows it to run in the memory reserved for the browsers, from where it spreads and causes havoc on their devices.
The key factor here is that no malicious program is actually installed on your hard drive, which is what makes fileless malware such a tricky challenge and insidious problem.
Now, there are ways to fight this.
But preventing these types of attacks is an ongoing process, as there is a very thin line when it comes to the differences between regular usage of these tools and malicious uses.
Technically, fileless malware attacks aren’t new. Many of the techniques used by these attacks, including in-memory exploits, have been used since early 2000s. For instance, the SQL Slammer worm that lay waste to thousands of networked computers within minute.
But they’re at an all-time high now.
That’s because the development and distribution of exploit kits has made fileless malware attacks much more common. PowerShell frameworks like Empire and PowerSploit are widely abused by cyber attackers, as they make it easy to quickly create PowerShell attack payloads. As time goes on, the techniques and tools used to carry out these attacks are becoming more advanced.
No wonder, fileless malware is turning out to be quite a headache for the industry.
This report from security company SentinelOne, for the first six months of 2018, revels a 94% rise in fileless malware attacks. Furthermore, the use of fileless malware in attacks is now said to represents 42 out of 1,000 endpoint attacks.
In fact, ransomware attacks were have now started to trend low, while fileless malware attack scenarios are ticking up rapidly. It’s only a matter of time before this malware strand grows from something that primarily affects enterprise networks to a disease that impacts us all.
One of the most lethal such attacks in recent memory was one where a hacker stole some $800,000 in cash from ATMs in Russia in a single night, using what was called disappearing malware — as there was no sign of any malware files on the machines or bank networks.
The theft baffled those monitoring the CCTV footage, as the hacker was able to withdraw money without even touching the ATM.
Fileless malware has become so sophisticated these days, that some strains now place a script in the Registry that reinstates the malicious code even after an infected computer is powered down and restarted. Some malware authors have also started to develop techniques that utilize data encryption and ransomware.
These can be devastating, if successful.
Why doesn’t Antivirus software detect it?
Now, you may be asking what makes detecting fileless malware attacks so challenging? Why can’t security programs, or even Windows itself provide better protection against them? More importantly, what are security experts doing to combat these threats?
Unfortunately, traditional antivirus tools are completely ineffective against fileless malware. That’s because they are simply not set up to deal with this kind of intrusion. Most of these programs are programed to act when they detect a malicious file.
All the notifications you get from your antivirus or security software is when it finds a suspicious file that is written to the hard drive. These are then compared to the library of known threats that the security vendor maintains. But since this is not happening, fileless malware is able to get through entirely undetected.
What makes things even worse is that the commands and applications being used for the attack are native to Windows and legitimately used for administrative tasks — particularly by companies, businesses and enterprise users.
In other words, these threats use tools that allow access to the very heart of a computer.
Can Fileless Malware spread easily?
Yes. Hacker and attackers can easily spread the threat to other PCs on a network by getting those computers to run malicious code. Since the code is not saved to the hard drive, it becomes a race against time to identify the problem and sort out the damage.
As things stand, only Windows PCs are at risk.
But that is only because most computers are running this operating system. It’s only logical that hackers are paying more attention to it. But Macs and Linux machines can also be exploited, as soon as cybercriminals find suitable attack points on both these alternate platforms.
As mentioned above, fileless malware targets tools like PowerShell and WMI to carry out its malicious scope. Residing only in memory, these attacks leave no trace after their execution. The dynamic nature of these payloads makes post-infection forensics very difficult.
Early versions of PowerShell also did not help. Certain features in this tool make it difficult to figure out when it is used by attackers.
For example, PowerShell 2, which is the most used version, generates event logs that tell when its engine was started and stopped. But these logs do not provide much more information, meaning they can’t be analyzed to determine if a malicious payload was run.
Microsoft did add the option for manual module logging in PowerShell 3, but this also has its shortcomings. Analysts and security products are unable to handle the amount of data that it produces.
The newly released PowerShell 5, which is part of Windows Management Framework, comes with serious security improvements. But again, these are not enabled by default, and attackers can evade these features by downgrading to earlier versions of the tool. In other words, it is hard for security solutions to figure out that PowerShell is being used to carry out an attack.
Combating the Threat
Security exports are looking at the best ways to tackle this problem, but as you can imagine, this is not easy. Thing is, Microsoft has integrated PowerShell so deeply into its OS, making this tool nearly essential to using many of its products.
PowerShell is an advanced scripting engine that is widely used by administrators to access Windows features. It provides full access to Microsoft COM (Component Object Model) and WMI, and fileless malware can use these features to delete, copy and execute files.
Of course, the first thing that may come to your mind is disabling PowerShell.
But while this is not a problem for home users of Windows, both PowerShell and WMI are crucial for the smooth running of IT departments at many companies. Disabling these power features can have an adverse effect on productivity, severely disrupting the many daily tasks of IT professionals.
Furthermore, PowerShell is not the only attack surface.
Microsoft Word macros can also be leveraged to devastating effect here, and the same holds true for Windows process like Rundll32 and VBScript. Add in browsers into the mix, and cyberattackers have many different options to run malicious code right from the memory.
Luckily, security exports are gearing up for what looks to be an ongoing fight. Concepts like patching, enabling logging and access control are seen as necessary protection in order to identify the threat at its point of delivery, before it gets on the system.
One suggestion is to use software to spot high levels of data leaving the network. Though this may be akin to closing the cage after the bird has flown, it is a detection technique against fileless malware. More encouraging is the potential use of artificial intelligence and machine learning to instantly spot certain kinds of activity.
And while we may be far off from stopping this kind of malware dead in its tracks, experts are focused on defining ways to solve these fileless attacks right when they start.
What can I do to stay safe from fileless malware?
Obviously, the first thing you can do is disable PowerShell, which is the most effective method to prevent many of these threats. As a home user, this is the first step that you should take — as long as you are not using apps or programs that make use of the PowerShell feature.
Follow these steps below to disable PowerShell.
Open the Control Panel, go to Programs and Features, and click on the Turn Windows features on or off option. There, untick the box next to Windows PowerShell.
Now reboot your machine to see if anything odd happens. Also make sure that you keep a keen eye out for unusual behavior, while ensuring that Windows and other installed programs are regularly updated.
For most ordinary users, this should suffice.
But the key here is to take note of what software you install on your computers, what websites you visit, and what links you click in your email. Since fileless malware is so hard to detect, taking precautions when doing regular everyday stuff on your PCs becomes all that more important.
Fileless malware doesn’t often hit the headlines, but that is mainly because it is a relatively recent phenomenon. To make matters worse, these types of threats are evolving, as malware authors take steps to not only evade detection, but also use the registry to solidify after system reboots.
Disabling tools like PowerShell on Windows may be the first line of defense for the average home user. But this is something out of bounds for most enterprises and IT professionals, as these components are required in corporate setups.
For this reason, we all need to be even more vigilant against these attacks.