Cybercriminals keep sharpening their digital tools of trade to maintain the upper hand over their targets. Among their most effective techniques is fileless malware, which is estimated to be roughly 10x more likely to succeed than traditional malware attacks.
Given how effective fileless malware is, it’s no surprise that the number of fileless attacks are growing rapidly. Between January 1st and June 30th, 2020, fileless malware was responsible for 30 percent of all detected Indicators of Compromise (IOCs), making it the most common threat category during that period.
To protect your business from this dangerous threat, you need to understand its methods and implement controls that can effectively counteract it.
Table of Contents
What Is Fileless Malware?
Viruses, Trojan horses, and even ransomware attacks start with a malicious file. To do its job, this file needs to be delivered to the target and executed.
That’s not an easy thing to do because responsible organizations use an anti-malware solution to scan new files to verify their legitimacy. To get around them, fileless malware doesn’t touch the hard drive at all, operating entirely in memory.
Typically, a fileless attack starts with a phishing email containing a link to a malicious website. When the victim visits the website, an exploit is automatically triggered, allowing the attacker to remotely load malicious code directly to memory.
The code then latches onto a privileged application, such as Microsoft PowerShell or Windows Management Instrumentation (WMI), so it can initiate malicious processes and spread laterally across the network.
Traditional anti-malware solutions that work by comparing files against a database of known file signatures are oblivious to malicious code infiltrating system memory, leaving the victim defenseless.
What Kind of Damage Can Fileless Malware Cause?
To understand the damage fileless malware can cause, we can look at some of the more famous fileless attacks that have happened in recent years.
5 Fileless Malware Examples
1. Stolen Sensitive Info
The Equifax data breach, which was the largest data breach in 2017 because it exposed the personal information of 147 million people, is a great example of a fileless attack being used to steal sensitive information.
2. Fileless Ransomware
UIWIX, a fileless ransomware that spreads via the EternalBlue exploit, was developed by the U.S. National Security Agency (NSA) and later leaked by the Shadow Brokers hacker group.
The exploit is also used by the cryptocurrency miner TROJ64_COINMINER.QO, allowing it to spread without leaving any traces on the hard drive.
3. Login Credentials
KOVTER evolved from a police ransomware into a sophisticated fileless malware capable of downloading the Mimikatz tool to steal login credentials from unsuspecting victims.
4. PowerShell Backdoor
Two Russian intelligence-linked actors infiltrated the DNC network before the 2016 election. COZY BEAR used SeaDaddy, a Python-based implant, and a fileless PowerShell backdoor that leveraged WMI to execute malicious code directly in memory, making it extremely difficult to detect.
5. Remote Code Executed in Memory
In December 2019, the Lazarus Group developed MacOS malware using a trojanized UnionCryptoTrader.dmg installer. The malware executed remote code directly in memory and used a loader to run a payload without writing any files to disk, making it a fileless threat that’s harder to detect.
As you can see, fileless malware can be used to perform all kinds of nefarious activity. So, preventing cybercriminals from carrying out these attacks should be every organization’s top priority.
How to Protect Against Fileless Malware?
A multi-pronged approach is necessary to effectively protect against fileless malware, and it should include the following components:
Cybersecurity Awareness Training
As we’ve explained earlier, fileless attacks typically start with phishing emails, so educating employees about the techniques used by phishers to convince their victims to do something that’s against their best interest can be a powerful first layer of defense.
Learn how to implement an engaging and successful cybersecurity awareness training program.
Patch Management
Cybercriminals also distribute fileless malware by exploiting unpatched software vulnerabilities. So, keeping all devices and the applications running on them updated is paramount.
Behavior Analysis
Fileless attacks can be detected, but you have to look for the right indicators. By analyzing how processes behave using machine-learning-driven behavioral analytics, it’s possible to spot when a legitimate process is behaving in strange ways—an indication that it’s been hijacked by fileless malware.
With Managed Detection and Response (MDR) integrated into a Security Operations Center (SOC), this analysis is enhanced by 24/7 monitoring, real-time threat hunting, and rapid incident response – giving your organization a more comprehensive defense against fileless malware and other sophisticated threats.
Memory Scanning
Some of the most advanced security solutions available today – such as Microsoft Defender for Endpoint – can perform real-time memory scanning to inspect fileless threats even with heavy obfuscation. This makes these solutions excellent alternatives to traditional anti-malware software.
Attack Vector Reduction
Fileless attacks leverage legitimate processes to gain elevated privileges, so disabling all unnecessary processes that are commonly exploited makes it much more difficult for fileless malware to do what it’s designed to do.
Sophisticated Protection from Fileless Malware
Defending against fileless malware requires more than just traditional antivirus solutions. With advanced techniques like in-memory execution and the ability to exploit trusted system tools, these threats can be incredibly difficult to detect and eliminate.
At Teal, we go beyond basic defenses by offering Managed Detection and Response (MDR) with a 24/7 Security Operations Center. Our advanced solutions include endpoint detection, behavior-based monitoring, and automated threat response – giving you the peace of mind that your SMB is always protected.
Our team will work closely with you to implement these protective measures and ensure your organization is equipped to prevent, detect, and respond to fileless malware attacks before they cause harm. Contact us today to learn more.