How to Defend Against Fileless Malware in 2024

Posted on April 30, 2024 by Greg McDonough

The Rise of Fileless Malware: How to Stay Protected

Security protocols are constantly tightening and cybercriminals are continuously adopting novel approaches to bypass these measures. One of these methods, that has been on the rise in recent years, is fileless malware. The term fileless malware encompasses a number of different attacks that typically do not install files or programs on a disk and take advantage of legitimate tools within a system, making them particularly difficult to detect. According to one report from The Ponemon Institute, fileless malware attacks are roughly ten times more likely to succeed than traditional file-based attacks and Aqua Security’s 2023 Cloud Native Threat Report estimates that fileless attacks increased more than 1400% over the previous year. With fileless malware on the rise, it is important to understand what they are and how to stop them from taking root.

Understanding Fileless Malware

Fileless malware attacks typically begin with a social engineering approach, such as a phishing email, that directs users to click on a malicious file or link that initiates the attack. At this point, malware embeds itself directly into the memory, or RAM, of a device where it hijacks otherwise legitimate programs such as Flash or PowerShell. This is also known as Living off the Land (LoL). Once these programs are infected, malicious actors can connect to the system and begin to harvest information. The significant difference between this approach and that of standard malware is that the user does not need to directly download or install any files to disk to initiate the attack. Typical anti-virus programs rely on the presence of signature files or programs on disk to recognize that a virus is present before taking steps to remediate the issue making them ineffective at mitigating fileless attacks.

Fileless Malware Attacks: A Case Study

One of the first identified reports of fileless malware was the “Code Red” worm in 2001, which infected over 350,000 servers and caused significant financial damage. In the over 20 years since that initial attack, there have been many high profile fileless attacks such as the 2017 Equifax data breach and the hacking of the Democratic National Committee by “Cozy Bear” that leveraged Microsoft source code in an effort to infiltrate the committee’s secure servers. However, more recent and persistent fileless attacks can be found in examples such as Pyloose and Prilex. Pyloose attaches itself to a Python code and is used to attack cloud workloads to install a cryptocurrency miner. This attack is particularly noteworthy in that it may be the first example of a Python based attack on a cloud workload. Prilex has been around since 2014 and continues to evolve in order to achieve its goals. The attack centers on Automated Teller Machines (ATMs) and Point of Sales (PoS) systems and has recently evolved to prevent users from using contactless nfc payment methods, thus ensuring that victims need to either physically insert or swipe their credit cards. This allows malicious actors to steal credit card details for fraudulent transactions.

Innovations in Fileless Malware Detection

There are several strategies that institutions should incorporate in order to prevent fileless malware from taking hold in a system. As Guy Propper writes for RSAC, “The best defense is to be aware of the different types of fileless attacks and their respective malicious logic, and to build out your arsenal of defenses based on that knowledge.” In order to prevent infection in the first place, it is important to educate workers to recognize potential phishing attempts and avoid clicking on malicious links or visiting questionable websites. Ater an infection has taken root, it is vital to look for symptoms of penetration as opposed to looking for the malware itself. These indicators can take the form of unusual lateral movements or suspicious amounts of outgoing data.

At RSA Conference 2024, fileless malware will be just one of the many topics of discussion. The most influential leaders in the cybersecurity industry will deliver keynote speeches addressing some of the current challenges in the cybersecurity industry and potential solutions. Many companies offer digital security and solutions for detecting fileless malware and a comprehensive AI-powered protection from cyberthreats. To find products and solutions to assist with your specific needs, visit RSAC Marketplace.

Contributors

Greg McDonough

Cybersecurity Writer, Freelance

Hackers & Threats

malware social engineering phishing fraud Fraud Prevention / Transaction Security hackers & threats Artificial Intelligence / Machine Learning

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.