Cybercrime never stands still. Online crooks are always looking for a new edge to make their attacks more effective and difficult to find. One of their recent innovations has been fileless attacks. These are malicious scripts that hijack legitimate software, without installing themselves on the hard drive at all.
In the early days of computer viruses, stealth wasn’t a priority. Programmers may have waited a while for their malicious software to replicate, but eventually announced themselves clearly when they delivered their payload. They prided themselves on showy animations and displays as they trashed a user’s files.
These days, more sophisticated attackers focused on stealing money, account credentials, or corporate secrets do whatever they can to avoid detection. One increasingly common tactic is the use of fileless malware.
Historically, anti-malware tools would detect malicious software by scanning a hard drive, analyzing the digital fingerprint of all files stored there, and looking for a match. This has driven attackers to avoid the hard drive altogether and instead, hide their malicious code in memory.
How does this software get into memory in the first place?
One of the most recently discovered fileless attacks, DNSMessenger, is a remote access trojan that arrives as a Word file with an infected macro that executes a malicious script within memory. It then uses an existing administrative tool, Windows Powershell, to run malicious scripts that executed its payload.
Attracted by the difficulty in detecting or attributing fileless attacks, cybercriminals are using them in anger to exfiltrate data from commercial organizations. Recently, security researchers found fileless malware in the networks of 140 banks around the world.
Stopping fileless attacks
This evolving threat vector calls for a rethink in the cybersecurity tools that companies use. Anti-virus software that only scans files on hard drives is no longer enough. Some vendors claim to be adopting memory scanning techniques, or watching for in-memory behavioral patterns. These are new approaches, and customers should always be wary about vendors’ claims for their security tools. Use independent testing organizations to validate those features.
Administrative security is an important weapon in the battle against fileless malware attacks. Consider restricting access to administrative tools like Powershell, Apple Script, and WMI, that attackers can use as weapons. In general, application controls on endpoints are a good idea. The Australian Signals Directorate highlighted whitelisting as a key protective measure in its own general security recommendations to stop unauthorized software from running in memory.
Preventing fileless attacks is also an exercise in scrutiny. Security pros should be searching for signs of compromise not only in hard drive files, but in system memory, too. Many companies will need to increase their network visibility to understand what kinds of traffic are passing internally between network segments. If an attacker is using a Powershell script to exfiltrate data through the network, then they might be creating unusual traffic patterns.
However, none of these approaches may stop fileless malware on their own. It is a particularly devious type of attack, and intruders have become adept at hiding their activities.
DNSMessenger disguises its command and control messages as DNS queries, for example, making them difficult to spot. Fileless malware attacks highlight the need for defense-in-depth.
Using various categories of security tool, combined with security processes designed to spot attacks, will go a long way towards spotting zero-footprint malware lurking on enterprise systems. In a world where intruders love to stay in the shadows, that’s becoming not just valuable, but crucial.