What Is Fileless Malware?
Fileless malware is a sophisticated type of malicious activity that utilizes native, legitimate tools already present in a system to carry out a cyber attack. Unlike traditional malware, fileless malware does not require the installation of any code on a target’s system, making it difficult to detect and mitigate.
This technique of using native tools to conduct a malicious attack is often referred to as “living off the land” or LOLbins. By leveraging existing tools, fileless malware can evade traditional antivirus and security solutions that primarily focus on detecting and blocking known malicious files.
Fileless malware operates by taking advantage of vulnerabilities in a system’s software or exploiting weaknesses in user behavior, such as clicking on phishing emails or visiting compromised websites. Once inside the system, the malware uses native tools to execute its malicious activities, such as stealing sensitive information, launching further attacks, or encrypting files for ransom.
How Fileless Malware Works
Fileless malware is a type of malicious software that operates without leaving traces on the victim’s computer’s hard drive. Instead, it resides solely in the computer’s memory, making it difficult to detect using traditional antivirus and security measures. Here’s a closer look at how fileless malware works:
1. Initial Infection: The most common method of infecting a system with fileless malware is through social engineering techniques. Hackers often send spam emails or create fraudulent websites that trick users into clicking on a malicious link. These links or websites exploit vulnerabilities in software, such as Flash, to gain initial access to the victim’s machine.
2. Exploiting Vulnerabilities: Once the victim clicks on the malicious link or visits the fraudulent website, the malware takes advantage of known vulnerabilities in the software running on the victim’s system. It uses relevant exploits to gain control over the system and execute its malicious payload.
3. Execution in Memory: After gaining control, the fileless malware uses shellcode, a small piece of code, to execute a command that allows it to download and execute its payload solely in the computer’s memory. By operating in memory, the malware avoids writing any files to the hard drive, making it difficult to detect and analyze.
4. No Trace of Activity: Since fileless malware operates solely in memory, it leaves no trace on the victim’s computer’s hard drive. This characteristic makes it challenging to detect using traditional signature-based antivirus solutions that rely on scanning files for known patterns or signatures. Fileless malware can execute its malicious actions without raising suspicion or triggering alerts.
5. Goals and Actions: The specific goals and actions of fileless malware can vary depending on the attacker’s objectives. It may aim to compromise sensitive data, cause damage to the victim’s computer, or perform other harmful activities like data theft or encryption. Fileless malware can be combined with other types of malware to facilitate complex cyberattacks, making it even more challenging to detect and mitigate.
6. Evading Traditional Security Measures: Fileless malware poses a significant challenge to traditional security measures. It can bypass heuristics-based scanners that rely on identifying patterns or behaviors in files by operating solely in memory. Additionally, it can circumvent whitelisting, which allows only approved applications to run, and sandboxing, which isolates potentially malicious files for analysis. These evasion techniques make fileless malware a potent tool for cybercriminals.
Common Fileless Malware Techniques
Attackers employ various techniques to execute fileless malware attacks, each with its own unique approach and characteristics. Some of the common techniques used in fileless malware attacks include:
1. Exploit kits: Exploit kits are collections of exploits that adversaries use to exploit known vulnerabilities in operating systems or installed applications. These kits automate the process of compromising systems at scale by injecting exploits directly into system memory, bypassing the need for files to be written to disk.
2. Hijacked native tools: Fileless malware can abuse legitimate native tools present in an operating system, such as PowerShell or Windows Management Instrumentation (WMI). By manipulating these tools, attackers can execute malicious commands or scripts without triggering traditional antivirus detection.
3. Registry resident malware: This technique involves malware installing itself in the Windows registry to maintain persistence and avoid detection. Instead of downloading a malicious file, the malware writes its code directly into the registry. The malicious code can be programmed to launch every time the operating system starts, making it difficult to detect as there is no malicious file to be discovered.
4. Memory-only malware: Memory-only malware resides solely in the system’s memory, making it challenging to detect using traditional file-based scanning techniques. This type of malware operates without leaving any traces on the system’s disk, allowing it to remain undetected for extended periods. Memory-only malware can perform various malicious activities, including reconnaissance, lateral movement, and data exfiltration.
5. Fileless ransomware: Ransomware attackers have started utilizing fileless techniques to encrypt victim’s files without writing any files to disk. They embed malicious code in documents using native scripting languages like macros or directly write the malicious code into memory using an exploit. By hijacking native tools like PowerShell, they can encrypt hostage files without leaving any traces on the system’s disk.
6. Stolen credentials: Attackers may initiate fileless attacks by using stolen credentials to gain unauthorized access to a target system. Once inside, they can utilize native tools like Windows Management Instrumentation (WMI) or PowerShell to carry out their malicious activities. They may establish persistence by hiding code in the registry or kernel, or by creating user accounts that grant them access to various systems.
Stages Of A Fileless Attack
Fileless attacks follow a series of stages that allow attackers to gain access, steal credentials, maintain persistence, and exfiltrate data from a compromised system. Here is a breakdown of each stage:
1. Gain Access: In this stage, the attacker remotely exploits a vulnerability in the target system, often using web scripting techniques like China Chopper. By exploiting a vulnerability, the attacker gains initial access to the victim’s system, establishing a foothold for further malicious activities.
2. Steal Credentials: Once inside the system, the attacker’s next objective is to obtain credentials that grant them broader access within the compromised environment. They may use techniques like Mimikatz to remotely exploit vulnerabilities and extract credentials from the system. With stolen credentials, the attacker can easily move laterally to other systems within the environment.
3. Maintain Persistence: To ensure long-term access to the compromised system, the attacker modifies the system’s registry to create a backdoor. Techniques like the Sticky Keys Bypass can be employed to modify registry settings and establish persistence. This backdoor allows the attacker to return to the compromised environment at will, without needing to repeat the initial steps of the attack.
4. Exfiltrate Data: In the final stage, the attacker focuses on gathering and exfiltrating the desired data from the compromised system. They may use the system’s file system and built-in compression utilities, such as Compact, to gather and compress the data. Once the data is prepared for exfiltration, the attacker uploads it to an external server using FTP or other means. By removing the data from the victim’s environment, the attacker covers their tracks and ensures they have the stolen information securely in their possession.
How To Detect Fileless Malware
Traditional security measures like legacy antivirus (AV), whitelisting, sandboxing, and even machine learning methods are often ineffective against fileless attacks. However, organizations can adopt an integrated approach that combines multiple methods to detect and mitigate fileless malware.
1. Rely on Indicators of Attack (IOAs): Instead of solely relying on Indicators of Compromise (IOCs), which focus on known malicious files or patterns, organizations should shift their focus to Indicators of Attack (IOAs). IOAs look for signs that an attack may be in progress, regardless of whether it is file-based or fileless.
IOAs focus on actions and behaviors rather than the specific techniques used. They look for code execution, lateral movements, and actions that may be intended to hide the attacker’s true intent. By analyzing the context, sequences, and dependencies of these actions, IOAs can reveal the true intentions and goals of the attacker.
Fileless attacks often exploit legitimate scripting languages like PowerShell, making them difficult to detect using traditional methods. However, by focusing on the actions and behaviors of the attacker, IOAs can identify sequences of events that even fileless malware must execute to achieve its objectives.
2. Employ Managed Threat Hunting: Threat hunting for fileless malware can be a time-consuming and resource-intensive task. It involves gathering and normalizing vast amounts of data to identify subtle activities that may indicate an intrusion. To effectively detect and respond to fileless attacks, many organizations opt to outsource their threat hunting to expert providers.
Managed threat hunting services specialize in proactively searching for intrusions, monitoring the environment, and recognizing subtle activities that may go unnoticed by standard security technologies. These services leverage advanced analytics, machine learning, and human expertise to identify and respond to fileless attacks in real-time. By relying on experienced professionals, organizations can enhance their detection capabilities and stay ahead of emerging fileless threats.
3. Implement Behavior-Based Detection: Behavior-based detection solutions analyze the behavior of processes and applications running on a system to identify suspicious activities. Unlike traditional signature-based detection, which relies on known patterns or files, behavior-based detection focuses on the actions and behaviors of the software.
Fileless malware often exhibits anomalous behavior, such as spawning multiple instances of legitimate tools, executing commands without a legitimate reason, or accessing sensitive areas of the system. By monitoring and analyzing these behaviors, organizations can detect and block fileless attacks in real-time.
4. Regularly Update and Patch Systems: Keeping systems and software up to date with the latest security patches is crucial in preventing fileless attacks. Many fileless attacks exploit known vulnerabilities in operating systems or applications. By regularly updating and patching systems, organizations can mitigate the risk of these vulnerabilities being exploited.
Additionally, organizations should implement strong access controls, regularly review and rotate user credentials, and educate employees about the risks of fileless attacks. User awareness training can help reduce the likelihood of falling victim to social engineering techniques used in fileless attacks, such as phishing emails or malicious websites.
Preventing Fileless Attacks With CrowdStrike
To effectively prevent fileless attacks in your organization, CrowdStrike offers a comprehensive and integrated approach through its Falcon platform. CrowdStrike combines multiple methods to deliver unrivaled endpoint protection against stealthy fileless attacks. Here’s how CrowdStrike can help:
1. Application Inventory: CrowdStrike’s application inventory feature helps discover all the applications running in your environment. By identifying these applications, vulnerabilities can be detected, allowing you to patch or update them promptly. By ensuring that your applications are up to date, you reduce the risk of them becoming targets for exploit kits used in fileless attacks.
2. Exploit Blocking: CrowdStrike’s exploit blocking capability stops the execution of fileless attacks that leverage exploits targeting unpatched vulnerabilities. By actively blocking these exploits, CrowdStrike prevents attackers from gaining a foothold in your environment through fileless techniques.
3. Indicators of Attack (IOAs): CrowdStrike’s IOAs play a crucial role in detecting and blocking fileless attacks during their early stages. IOAs focus on identifying and blocking malicious activities based on their behaviors and intent, rather than relying on known indicators of compromise. This proactive approach allows CrowdStrike to detect and prevent fileless attacks before they can fully execute and cause damage. Furthermore, IOAs also protect against new categories of ransomware that do not rely on traditional file-based encryption techniques.
4. Script Control: CrowdStrike’s Script Control feature provides expanded visibility and protection against fileless script-based attacks. By monitoring and controlling the execution of scripts, including those using legitimate scripting languages like PowerShell, CrowdStrike can detect and block malicious activities associated with fileless attacks.
5. Advanced Memory Scanning: CrowdStrike’s advanced memory scanning capabilities protect against fileless and malware-free attacks, such as advanced persistent threats (APTs), ransomware, and dual-use tools like Cobalt Strike, which operate solely in memory. By scanning and analyzing the memory for malicious behaviors and indicators, CrowdStrike can detect and prevent fileless attacks that evade traditional file-based detection methods.
6. Managed Hunting: CrowdStrike’s managed hunting service provides proactive and continuous monitoring of your environment, searching for malicious activities generated as a result of fileless techniques. Expert threat hunters leverage advanced analytics and machine learning to identify and respond to fileless attacks in real-time. By relying on CrowdStrike’s expertise, organizations can enhance their detection capabilities and stay ahead of evolving fileless threats.