What is Fileless Malware?
The Rise of Malware-less Attacks
The security industry is witnessing a rapid evolution in attack techniques—including advanced polymorphic malware and file-less attacks. In fact, according to the 2016 Verizon Data Breach Report, the majority of breaches (53%) involve no malware. Listen to Senior Analyst at Forrester Research, Chris Sherman, and Carbon Black’s VP, Product Management Paul Morville discuss new security threats and the need for a next generation of endpoint security.
Fileless malware refers to a cyberattack technique that uses existing software, allowed applications, and authorized protocols to carry out malicious activities.
Fileless malware sneaks in without using traditional executable files as a first level of attack like traditional malware. Rather than using malicious software or downloads of executable files as its primary entry point onto corporate networks, fileless malware often hides in memory or other difficult-to-detect locations. From there, it is written directly to RAM rather than to disk to execute a series of events, or is coupled with other attack vectors such as ransomware to accomplish its malicious intent.
And because fileless malware doesn’t write anything to disk like traditional malware does, it leaves no immediate trace of its existence behind and thus avoids detection by traditional antivirus security. Here are some potential attack scenarios of fileless malware that use commonplace software, applications, and protocols as a launching point for malicious activities:
A link in a legitimate-looking file loads into memory, and then remotely loads a script to go after confidential data that is sent back to the attacker.
Native system tools such as Microsoft Windows Management Instrumentation (WMI) and Microsoft PowerShell scripting languages that typically would be considered highly trusted, are targeted to get scripts to run remotely.
Once in, fileless malware can abuse legitimate system administration tools and processes to gain persistence, elevate privileges, and spread laterally across the network.
What is a non-malware attack?
It's a term rising in prominence due its growing danger, but it's still leaving folks scratching their head trying to properly define. This episode of "The 101" provides a clear definition of what a non-malware attack is, along with a quick example to help explain exactly what it can do and why it is so dangerous today...
To view this and other episodes of "The 101" click here.
To get more insight into this increasingly pervasive attack method, Carbon Black recently interviewed over 400 security researchers who discussed non-malware attacks, artificial intelligence (AI) and machine learning (ML), among other topics.
say their companies are experiencing an increasing number of fileless malware attacks
consider fileless malware attacks more threatening than traditional malware
of fileless malware attacks target customer data
The most common types of fileless attacks were:
Remote logins (55%)
WMI-based attacks (41%)
In-memory attacks (39%)
PowerShell-based attacks (34%)
Microsoft Office macros attacks (31%)
In addition to going after customer data, fileless malware attacks most commonly targeted corporate IP (53%), credentials (42%), and financial data (41%). Over half of fileless malware attacks we designed for service disruption.
As seen above, fileless malware has security professionals on edge, for good reason. Fileless malware is relentless – and it’s growing rapidly.
77% of compromised attacks in 2017 were fileless.
Fileless attacks are ten times more likely to succeed than file-based attacks.
Overall, fileless attacks are increasing by nearly 7% per month.
Macro malware attacks increased from 400,000 at the end of 2015 to over 1.1 million during the second quarter of 2017 while PowerShell malware grew by 119% in the third quarter alone.
Because it doesn’t follow the typical known path traditional malware does, traditional antivirus solutions don’t stand a chance defending against fileless malware. In fact, in Carbon Black research, two thirds of security researchers said they were not confident legacy antivirus software could protect their organizations.
So what will work? The answer is to monitor a complete stream of events – how one individual event leads to and relates to another – to detect attackers leveraging these techniques
The underlying technology that supports these capabilities takes a fundamentally different approach than traditional antivirus software. It monitors the activity of users, applications and services, including related processes, inbound and outbound network traffic, requests to run applications, and changes to credentials or permission levels. In addition to monitoring each individual event, it keeps a record of what triggered it in the first place; this allows this streaming technology to not just monitor individual events on an endpoint, but rather monitor and analyze the relationships among them.
This naturally creates a high volume of data, which is why the cloud is an essential component to this approach. In the cloud, various analytic techniques like machine learning, behavioral analysis and event stream processing can be used to analyze the event streams, determine the risk of any given stream, and apply prevention policies against the stream should it exceed an acceptable level of risk.
An unsuspecting employee visits a web page, loading Flash. But the website has been compromised, and a vulnerability in flash is exploited which invokes Powershell on the user’s machine. The attacker can do what he wishes without traditional antivirus detecting anything.
How can this be stopped?
- Capture all events on the endpoint to see the full stream of activity
- Tag each event to uncover the attack’s progression
- Assess risk at every stage, blocking the attack when the threat is clear
Browsing the web, running Flash and invoking PowerShell are each, in their own right, viable and necessary events. However, when they appear as a stream of events, it becomes obvious that collectively they are being used in a fileless malware attack. This approach ultimately helps identify anomalous behavior that can then be tagged, flagged, and automatically shut down before attackers can carry out their harmful goals.