Cybercriminals keep sharpening their digital tools of trade to maintain the upper hand over their targets. Among their latest and most effective techniques is the so-called fileless malware, which is estimated to be roughly 10x more likely to succeed than traditional malware attacks.
Given how effective fileless malware is, it’s no surprise that the number of fileless attacks is growing rapidly. Between January 1st and June 30th, 2020, fileless malware was responsible for 30 percent of all detected Indicators of compromise (IOCs), making it the most common threat category during that period.
Between January 1st and June 30th, 2020, fileless malware was responsible for 30% of all detected IOCs.
To protect your organization against this dangerous threat, you must understand how it works and what controls can reliably keep it at bay.
What Is Fileless Malware?
Viruses, Trojan horses, and even ransomware attacks start with a malicious file. To do its job, this file needs to be delivered to the target and executed.
That’s not an easy thing to do because all responsible organizations today use some anti-malware solution to scan new files in order to verify their legitimacy. To get around anti-malware solutions, fileless malware doesn’t touch the hard drive at all, operating entirely in memory.
Typically, a fileless attack starts with a phishing email containing a link to a malicious website. When the victim visits the website, an exploit is automatically triggered, allowing the attacker to remotely load malicious code directly to memory.
The code then latches onto a privileged application, such as Microsoft PowerShell or Windows Management Instrumentation (WMI), so it can initiate malicious processes and spread laterally across the network.
Traditional anti-malware solutions that work by comparing files against a database of known file signatures are oblivious to malicious code infiltrating system memory, leaving the victim defenseless.
What Kind of Damage Can Fileless Malware Cause?
To understand the damage fileless malware can cause, we can look at some of the more famous fileless attacks that have happened in recent years.
The Equifax data breach, which was the largest data breach in 2017 because it exposed the personal information of 147 million people, is a great example of a fileless attack being used to steal sensitive information.
The Equifax data breach, which was the largest data breach in 2017 because it exposed the personal information of 147 million people
Then there’s UIWIX, a fileless ransomware that spreads via the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA) and later leaked by the Shadow Brokers hacker group. The same exploit is also used a cryptocurrency miner (TROJ64_COINMINER.QO) to spread without leaving behind any hard drive data.
We should also mention KOVTER, which evolved from a police ransomware into a fileless malware threat capable of downloading the Mimikatz tool to steal login credentials from unsuspecting victims.
As you can see, fileless malware can be used to perform all kinds of nefarious activity, so gaining the means to prevent cybercriminals from doing so should be every organization’s top priority.
How to Protect Against Fileless Malware?
A multi-pronged approach is necessary to effectively protect against fileless malware, and it should include the following components:
Cybersecurity Awareness Training
As we’ve explained earlier, fileless attacks typically start with phishing emails, so educating employees about the techniques used by phishers to convince their victims to do something that’s against their best interest can be a powerful first layer of defense.
Patch Management
Cybercriminals also distribute fileless malware by exploiting unpatched software vulnerabilities, so keeping all devices and the applications running on them updated is paramount.
Behavior Analysis
Fileless attacks can be detected, but you have to look for the right thing. By analyzing how processes behave using machine-learning-driven behavioral analytics, it’s possible to spot when a legitimate process is behaving in strange ways—an indication that it’s been hijacked by fileless malware.
Memory Scanning
Some of the most advanced security solutions available today, such as Microsoft Defender for Endpoint, can perform real-time memory scanning to inspect fileless threats even with heavy obfuscation, making such solutions excellent alternatives to traditional anti-malware software.
Attack Vector Reduction
Fileless attacks leverage legitimate processes to gain elevated privileges, so disabling all unnecessary processes that are commonly exploited makes it much more difficult for fileless malware to do what it’s designed to do.
We at TechGen can help you implement these and other protective measures to ensure that your organization won’t be brought to its knees by a fileless attack. Contact us today.