You may not have heard of a fileless malware attack, but despite its obscurity, it’s a real and serious threat.
Furthermore, fileless malware makes up about 70 percent of executables that are unknown to reputation services, according to SentinelOne’s Enterprise Risk Index Report for the 2018 first half. This means that antivirus software that depends on matching a signature won’t find this malware.
In many cases this is because the malware isn’t an executable file at all. Instead, it’s a process that’s delivered to a computer that takes over an existing service, such as Microsoft Windows PowerShell or another Windows service, which then loads software or follows commands that carry out the activities normally associated with malware.
I first encountered such malware in 2015 in a spoofed email from a fax service that included a scan of the supposed fax. But what was actually included was a Microsoft Word file that included Javascript code that loaded malware from Russia. My AV software never noticed, even when I explicitly scanned the document.
That’s the problem with fileless malware. It enters your system as executable instructions that run in PowerShell, for example, and the computer follows those instructions. It may, for example, load encryption software from a remote site, encrypt your hard disk and then terminate the process. Or it can tell PowerShell to locate your backups first, and then erase them.
Security software that relies on a library of known malware threats to protect computers from cyber-attacks are ineffective because there’s no virus or malware file for your antivirus or anti-malware program to recognize. According to the SentinelOne report, this threat is growing rapidly. The problem then becomes, what to do about it?
“When there’s no file, many of the AV systems are blind to it,” says Migo Kedem, director of product management at SentinelOne. Kedem said that some companies are trying to prevent such attacks by disabling PowerShell or by disabling macros in Microsoft Office.
But he said that such actions can have serious impacts on productivity. He also noted that PowerShell has become increasingly important to IT departments for automating critical processes.
According to Kedem, the problem is also that you can’t hash a command line the way antivirus software uses a computed hash to identify malware. So the fileless malware can run the same command 25 or 30 different ways until something works.
Kedem said that he’s been working on artificial intelligence and machine learning software that can observe what is happening on a system under attack. When certain types of activities take place, the intelligent system can stop them, and if necessary roll back the attack.
“Eventually it will try to encrypt your files,” Kedem explained. “But first it will try to delete your backups. In the case of ransomware, those are two behaviors that mark it as malicious.”
The only way to detect such fileless malware is to catch it in the act. This means that you need monitoring software that will observe activity on your computers, and when it sees something suspicious, it immediately takes action. SentinelOne has an agent that monitors such activity, and takes action when it finds it.
Other solutions include Cybereason RansomFree which looks for the encryption process to begin, and then immediately terminates it. Cybereason also makes a full enterprise system that uses AI to seek out and destroy malware of all types.
Malwarebytes, long known for effective malware protection, is also fighting fileless malware.
“Malwarebytes’ exploit mitigation technology allows us to stop file-less malware attacks before they even begin, whether they rely on drive-by downloads or social engineering—i.e. Office macros,” said Jerome Segura, head of investigations at Malwarebytes Intelligence in an email.
“Our other layers of protection allow us to detect file-less malware already on the system in particular if it relies on registry entries for persistence and connects to its Command and Control server,” Segura wrote.
As you might expect, the fact that it’s fileless means that finding it installed on a system is problematic.
“There are types of file-less malware that we detect after infection,” explained Adam Kujawa, head of Malwarebytes Intelligence in an email. “However, with the constant evolution of this type of attack, we are likely going to encounter speedbumps on protecting users from this threat after infection.”
“A combination of our real time protection and web protection functionalities help with after infection cases, while our exploit mitigation tech identifies the attack before it can cause any damage,” Kujawa added.
Besides using JavaScript, and instructions for PowerShell, there are a number of ways that fileless malware can attack a system. These include VBScript Mshta (which runs Microsoft’s HTML application host) and rundll32 among other Windows processes that can run executable code.
However, you can’t just disable these processes in Windows (or similar processes in other operating systems) without potentially disabling the computer. While Windows is the most commonly attacked with fileless malware, there’s nothing that prevents this from happening with other operating systems.
The reasons why most of the files attacks are directed against Windows systems is mostly because of the huge installed base and because of the higher potential for significant return on malware writers’ efforts.
Protecting your computers requires more than just an antivirus package. It also requires discipline, education and good computer hygiene to keep from being a victim in the first place. You also have to have a strong sense of suspicion, which is how I discovered my first piece of fileless malware.