From crypto-ransomware and destructive malware to advanced persistent threats that exploit zero-day vulnerabilities, the malware threat landscape is ever-evolving. Another threat we’ve increasingly observed is fileless malware.
Apparently, we aren’t alone. One security expert told Threatpost in April that he had seen more fileless malware in the first quarter of 2017 than in all of 2016 and 2015 combined. Numbers like that warrant attention. So, what exactly is fileless malware, and what’s behind its sudden growth?
Fileless malware is also known as “memory-based” malware because its malicious functionality does not reside in a file on an infected host. Instead, fileless malware usually injects code into a host’s random-access memory (RAM) and/or registry. Once injected, the code employs clever scripting to use a host’s native functionality for further exploits. This method of using an infected device’s native system functionality, a host’s legitimate applications or an organization’s IT administrative toolset for malicious purposes is called “living off the land.”
Attacks that live off the land are extremely stealthy because they employ functionality that is white-listed by an organization’s security technologies. For instance, system administrators use PowerShell, a functionality native to Windows operating systems, for a variety of legitimate tasks. Traditional detection methods may not flag fileless malware that resides in a computer’s RAM and uses PowerShell. Being fileless, of course, there is no signature associated with the malware, which makes signature-based detection unreliable.
Fileless malware is somewhat anti-forensic in that it leaves no detectable trace of itself (e.g., a file) beyond its stealthy use of native functionality and white-listed technology. This does present a risk to threat actors: If an infected machine is turned off, the fileless malware will cease to function. However, security experts have observed strains that employ a script in Windows Registry to reinstate the malware code upon rebooting an infected device.
Unlike the extremely targeted exploits firmware used by specific industrial control systems, which offer threat actors limited use, fileless malware is a flexible, adaptable tool. Many strains of fileless malware are designed to be effective in most enterprise IT environments that run, for instance, Windows or Linux systems. Fileless malware is among the most efficient types of polymorphic malware.
Fileless malware often includes custom scripting for multi-stage hacks. For instance, fileless malware code might enable the distinct tasks of escalating administrative privileges, establishing a connection back to the threat actor’s remote command and control server and exfiltrating data. Fileless malware can also be used to install additional malware modules.
SCE runs in parallel with BluVector’s patented machine learning engine which is designed to detect file-based attacks, giving BluVector customers two powerful ways to detect full fileless or fileless attacks that become file-based further down the attack chain.
Contact us today to learn how the BluVector’s multiple detection technologies can prevent fileless malware from ever gaining a foothold in your organization.