What is Fileless Malware?
Fileless malware has been around since 2001, it is a type of malicious code that uses legitimate programs to enter and infect a computer. Since fileless malware doesn’t rely on files, it leaves little to no trace—making it difficult to detect and remove the malware from a device.
As hackers and threats are increasing, so are their tactics. As Harold Rivas, Chief Information Security at Trellix stated, “Modern threat actors rely heavily on fileless malware like LoLBins (‘Living off the Land’ Binaries and Scripts) to explore, communicate, move across, exfiltrate, and impact networks.” Fileless malware poses challenges to traditional cybersecurity defenses as it’s hard for traditional endpoint protection to detect it given that, “it’s often undetectable by antivirus and whitelisting,” Rivas added.
Anatomy of Fileless Attacks
Fileless attacks often use social engineering tactics such as a phishing email, that directs users to click on a malicious file or link to initiates the attack. Rivas explains, “Without being stored in a file or installed directly on a machine, the infections go straight into memory.” Malware going into a device’s memory and not hard drive makes it harder to find and respond to—leaving a window for the malware to take over legitimate programs such as PowerShell and Java.
Fileless malware falls into the category of Low-Observable Characteristics (LOC) attacks--it evades detection. The goal is to be “invisible”, making it increasingly challenging for traditional cybersecurity defenses to detect this type of malware in a timely manner as it gives the fileless malware more time to gain access to valuable data across an enterprise and to attack and cause serious damages.
Defense Strategies Against Fileless Attacks
There are many defense strategies to counter fileless malware. A few strategies organizations can implement to control, monitor, detect, and respond to fileless malware attacks while minimizing risk are outlined below:
Zero-Trust: This strategy ensures users only have access to what they need. This approach is critical as it makes sure that no device or user is automatically trusted, Rivas explained that this approach, “Can significantly bolster an organization’s posture and establish operational resilience.”
Modern Endpoint Security Controls: This strategy protects all endpoints in a network by monitoring, detecting, and responding to malicious actors trying to get in.
Mapping to the MITRE ATT&CK Matrix: This strategy helps understand the tools cybercriminals use. Rivas said, “By cross-referencing what is known to be deployed and expected usage with threat actor activity, organizations can create a baseline to detect unusual or malicious behavior,” allowing organizations to have a proactive defense strategy to mitigate risks.
Software Patching and Updates: This is an important defense strategy to counter fileless malware attacks. Derek Manky, Chief Security Strategist and Global VP Threat Intelligence at Fortinet explained “It will be more difficult for an attacker to launch a fileless malware attack since they have no entry point,” organizations should regularly patch and make updates to their security to limit the number of potential entry points for hackers to get into.
Specific Types of Fileless Threats and Protection Measures
In addition to defense strategies, it’s also important to understand the various techniques a hacker might use to initiate a fileless malware attack.
Reflective Self-Injection: Is a reflective loading fileless threat that loads a portable executable (PE) directly from a user's systems memory. Again, since it goes in the memory and not the hard drive, it leaves no footprint for an IT team to detect.
Reflective EXE or DLL Self-Injection: This is similar to reflective self-injection, but instead uses an Executable (EXE) or Dynamic Link Library (DLL) file. Manky explains, “Usually reflective injection EXE or DLL, would be done through JavaScript, PowerShell, WMI, or through arbitrary remote code execution,” attackers use this technique to avoid touching a disk to remain “invisible.”
Malicious Code Execution using DotNetToJScript: This technique allows hackers to load and execute malicious .NET assembly straight from memory. Like any fileless attack, it does not execute any codes in the computer’s hard drive to avoid detection.
Organizations can protect against these threat techniques by using advanced threat detection tools. Using Endpoint Detection and Response (EDR) can help detect and mitigate fileless attacks. Also, scanning PE, DLL, and EXE files and macro scripts regularly can detect malicious actors in real time. Finally, organizations should restrict and monitor the use of interactive PowerShell within the organization and apply signature-based defenses to identify and neutralize known threats.
Proactive Threat Hunting and Incident Response
Fileless malware attacks use legitimate processes so it’s important for an organization to use proactive threat hunting in identifying and mitigating these attacks before they cause significant damage.
Since fileless attacks utilize LoL (Living off land) techniques, threat hunting will help identify stealthy activities and indicators—Manky goes on to say, “Finding these indicators can often lead to identification of a fileless attack, and therefore triggering incident response and triage to reduce the mean time to respond.” A proactive threat hunting approach allows organizations to regularly monitor the environment for suspicious activities, respond to incidents in real-time, and prevent malicious actors from further damaging an enterprises network.
Collaborative Approach to Cybersecurity
Collaboration among security teams, IT administrators, and end users is imperative to defend against fileless malware. Collaborating throughout an enterprise can bring a diverse community together to brainstorm innovative solutions to defend against fileless malware attacks.
Sharing threat intelligence is a collaborative process that allows an organization to exchange information about potential and existing threats that could impact them and cause harm. By sharing this information, an organization positions itself to have a proactive approach to detect and counter fileless malware.
Conducting security awareness training for all employees fosters a culture of security awareness within an organization. It’s important to train employees about security awareness because human vulnerability is a main attack vector. Employees who are trained will be more equipped to recognize potential security threats, raise the level of information security for their organization, and prevent malicious actors from gaining footholds in a system. Collaboration and conducting security awareness training on an on-going basis is critical for an organization to mitigate risks that arises from fileless malware attacks.
Continuous Learning and Adaptation
In the evolving landscape of fileless threats, continuous learning and adaptation is important. Cybersecurity professionals should stay updated on the latest attack techniques cybercriminals use to detect fileless malware in real-time to prevent further damage or risk to an organization’s network.
Below are a couple of tips on how cybersecurity professionals can continue to learn about emerging fileless threats:
Participate in Industry Forums: By reading cybersecurity forums, cybersecurity professionals can learn about the latest news regarding threats, read about lessons learned from attacks, and adopt an effective strategy to defend against fileless threats
Engage in On-going Training and Certification Programs: By attending on-going training, cybersecurity professionals can learn and adopt new tools to strengthen their security measures. Learning from webcasts, podcasts, and certification programs will help to stay updated on the latest attack techniques that are emerging and how to defend against it.
Conclusion
Fileless malware attacks are increasing and becoming harder for traditional cybersecurity defense strategies to detect. Understanding how cybercriminals go under the radar and how fileless malware works is critical for organizations to combat fileless attacks in real time. Now, more than ever, organizations need to implement proactive defense measures to reduce significant harm and risks. Cybersecurity professionals are strongly urged to prioritize cybersecurity awareness through collaboration and on-going training—by doing so, an organization can become more resilient and adopt a holistic approach to threat mitigation as fileless threats increase. To learn more on how to counter fileless malware attacks, we invite you to visit RSAC Marketplace, where you’ll find an array of cybersecurity vendors and service providers who can assist with your threat mitigation needs.