Defending Against The New Reality Of Fileless Malware Attacks

Forbes, May 4, 2020, with comments from Satya Gupta

Organizations know that antivirus software is outmatched in protecting against today’s malware threats. The threats we’re seeing today have surprised what signatures can see or identify, much less block. Modern malware is capable of continually morphing itself - otherwise known as polymorphic - to escape detection by antivirus signatures and successfully re-infect machines.

Efforts to develop generic signatures attempted to identify variants using one signature but it wasn’t successful. Outliers continually got through.

Meanwhile, malware groups remain active, crafting malware that infects systems without any traceable files at all. These fileless attacks wreak total havoc on systems, completely bypassing defense mechanisms.

Fileless attacks that recently made headlines

The security community monitors and studies fileless attacks as they happen. A couple especially recognizable ones include:

  • Equifax: In September 2017, people learned that Equifax had experienced a data breach that impacted 143 million Americans' personal information – over half US households.

Virsec Systems CTO Satya Gupta told CSO that the incident was a fileless attack that "used a command injection vulnerability in Apache Struts."

"In this type of attack, a vulnerable application does not adequately validate users' input, which may contain operating system commands," Gupta said. "As a result, these commands can get executed on the victim machine with the same privileges as those of the vulnerable application."

  • U.S. Democratic National Committee: Several months before the 2016 election, two threat actors infiltrated the network of the DNC. Those threat actors were later determined to be affiliated with Russian intelligence and one of them, known as COZY BEAR and many other names, utilizes many tools. One in this attack was SeaDaddy, a Py2exe script developed in Python. Another was a PowerShell backdoor that used a Windows Management Instrumentation (WMI) system with persistence, allowing the attackers to launch malicious code automatically at times of their choosing.

How Are Fileless Attacks Carried Out? 

Threat actors conduct fileless attacks by involving the very things they intend to attack – applications, protocols, software - in the attack process itself. These attacks very often begin by tricking users on the front end, via a sophisticated phishing email with an infected link as bait for users to click on. Once clicked, malware is unleashed into the user’s device memory and begins to hijack regular Windows tools (PowerShell and others) to propagate more malicious code.

Unless these attacks are noticed and preempted at this first stage, such as the phishing email, they will be missed by many if not most security solutions. It’s impossible for these products to discover the presence of something that has no presence – no file to find on a victim’s computer, nothing to match up against a signature database. The tools bad actors use easily lurk undetected inside the normal and legitimate applications and tools residing on users’ PCs.

Equifax Fileless Attack Example
Some details about the Equifax breach portray how stealthy they can be.

Fileless malware attacks operate in a computer’s RAM memory rather than on hard drives and this gives hackers a stealthier way to invade networks and applications. Because no (or very little) malware or foreign code is placed inside the victim’s system, these attacks are called “zero footprint, macro or non-malware” fileless attacks. Anti-virus signatures miss the breach or attack (along with the odds that the attack itself may have no existing signature in the first place).

This ease of entry and ability to sneak in under the radar have made fileless malware attacks grow rapidly in popularity. In just the 11 months from January to November of 2016 when the two noted here first appeared, fileless attacks increased from 3% to 13% of attacks. Now, at least 1 in 3 attacks has a fileless component to its strategy. These attacks also include numerous strains of ransomware attacks, which exploded in 2019 and have continued their disturbing trend in 2020, affecting banks, telecoms, government agencies and more.

In the case of the Equifax breach mentioned above as an example, the attack used a command injection vulnerability in Apache Struts. It was an attack where a vulnerable application did not adequately validate users’ input, which likely contained operating system commands. Commands can get executed on the victim’s machine with the same privileges as those of the vulnerable application. This mechanism totally blindsides any anti-malware solution that is not looking at the application’s execution path to determine if the application is not executing its natural code.

Protecting Corporate Networks Against Fileless Attacks

Even though traditional security products can’t protect against fileless attacks, it doesn’t mean organizations are without options. New solutions that don’t rely on signatures are available. Learn more.

Read full Defending Against The New Reality Of Fileless Malware Attacks article

Further resources:

New Technique Lets Hackers Use Vulnerability to Disable Any Anti-Virus (AV) Software On Any Device with Any OS – Windows, Mac, Linux

Behind the Equifax Breach: Apache Struts Vulnerabilities, Laxed Patching and Zero Day Exploits

Detecting and stopping fileless attacks

What is a fileless attack? How hackers invade systems without installing software

How antivirus software can be turned into a tool for spying