Is your organization prepared for the threat of fileless malware?
Fileless malware attacks are on the rise, becoming part of the evolving tactics of cybercriminals to evade detection. These threats proliferate through the widespread use of legitimate system tools like Windows Management Infrastructure and PowerShell.
Fileless malware attacks have a high success rate because they are more stealthy and difficult to detect due to their lack of physical presence on the disk.
Read on for details about fileless malware, including how it differs from traditional malware, and how to defend against it.
What is Fileless Malware?
As indicated by its name, fileless malware does not use executable files, as seen in conventional malware attacks. Fileless malware works inside your computer’s memory instead of from the hard drive, making it harder for antivirus scanners to detect.
Cybersecurity professionals often refer to a fileless virus approach as using a living off the land attack, because it uses a system’s legitimate tools to attack the computer, including downloading additional payloads, executing remote scripts, or exfiltrating data using PowerShell commands.
Fileless Malware Examples
Remcos
Remcos is a Remote Access Trojan (or RAT) that weaponizes Excel documents. Criminals launched a phishing email campaign with an encrypted Excel file that fooled users into thinking it was protected to make them click it. The fileless malware then downloaded a malicious HTA file, which runs PowerShell commands that download a malware payload that can run undetected.
Unfading Sea Haze
Chinese hackers working as “Unfading Sea Haze” deployed fileless malware by sending emails with malicious ZIP archives that had LNK files that appeared to be legitimate documents. It allowed hackers to gain remote control over computers, resetting the local administrator’s password to give criminals a secret admin account.
PyLoose
Meanwhile, cybercriminals are also using a Python-based attack that aims at cloud computing systems. Dubbed the PyLoose attack, it uses memfd, a Linux fileless technique to load an XMRig Miner into the victim’s computer, using memory instead of the hard drive.
Types of Fileless Malware
PowerShell-Based Attacks
PowerShell-based attacks use the legitimate PowerShell scripting language to let malware access the core of your computer, particularly Windows APIs.
Registry-Based Attacks
Hackers inject malicious code into the registry, then execute malware from the registry into a currently running application as the system or the application itself reads the registry.
Memory-Based Attacks
In memory-based attacks, fileless malware runs code directly from your computer’s memory, unlike traditional malware that runs off of your hard drive. This makes it hard to detect, especially by conventional malware scanners.
How Does Fileless Malware Differ from Traditional Malware?
File-based malware resides on your hard drive. It may land in your system after you click a link in an email, or by visiting a malicious website that downloads malware to your computer.
In contrast, a stealthy fileless malware’s attack vector takes place in memory without creating or modifying files on the disk, or by using legitimate system tools like PowerShell.
How Can You Protect Against Fileless Malware?
Organizations use nontraditional approaches toward detecting fileless malware.
First, audit your systems to ensure you’re using the latest software tools to preserve a secure network. Don’t depend on file scanners, which are a legacy approach to searching for conventional malware on hard drives.
Endpoint Detection and Response (EDR)
Companies can employ endpoint detection and response. This approach can identify strange behavior at the endpoint that a standard antivirus tool will miss.
Behavior-Based Detection
With machine learning to help detect anomalous behavior, you can see patterns that indicate fileless malware is lurking in your memory and running scripts that could cause harm.
Application Whitelisting
Application whitelisting only allows trusted applications to run, avoiding any fileless malware running scripts and applications. Use it to restrict the execution of scripts and limit which scripts can be run.
Patch Management
Keep your system updated with the latest patches to defend against novel threats, and follow best practices to harden system configurations, such as disabling unnecessary services, using least privilege for service accounts, and minimizing the use of administrative privileges.
User Education and Training
During the onboarding process, instruct new employees not to open files sent to them by unknown persons, or to click links from outside sources they do not know and trust.
Incorporate regular training and phishing simulations to bolster the effectiveness of your Security Awareness Program.
Protect Your Organization’s Cybersecurity Posture Against Fileless Malware
Unfortunately for victims, fileless malware takes advantage of legitimate system tools, making it harder to detect — especially if you rely on antiquated antivirus applications.
To protect your organization, it's crucial to adopt a proactive security strategy that includes advanced endpoint protection, continuous monitoring, and user education.
Working with a managed security services provider like Tec-Refresh to deploy a multi-layered defense approach ensures that you can better safeguard your systems against invisible threats and stay one step ahead of cybercriminals.
To learn more about our approach to combating fileless malware or to consult with us about cybersecurity services, contact us today.