DATA SECURITY KNOWLEDGE BASE

What is Fileless Malware (or a Non-Malware Attack)? Definition and Best Practices for Fileless Malware Protection

What is Fileless Malware?

Fileless malware, also known as a non-malware, zero-footprint, or macro attack, differs from traditional malware in that it doesn’t need to install malicious software to infect the victim’s machine. Instead, it takes advantage of existing vulnerabilities on your machine. It exists in a computer’s RAM and uses common system tools to inject malicious code into normally safe and trusted processes such as javaw.exe or iexplore.exe to execute an attack.

Because fileless malware does not require a file download, it can be quite difficult to prevent, detect, and remove. The good news is that if you reboot your machine, you can halt the breach. This is because RAM only keeps its data when your computer is on. Once you turn it off, the infection is no longer live. However, hackers can still use that vulnerability to steal data from your computer or even install other forms of malware to give it persistence. For example, hackers can set up scripts that run when the system restarts to continue the attack.

What are the Characteristics of Fileless Malware?

Fileless malware:

  1. Has no identifiable code or signature that allows typical antivirus tools to detect it. It also does not have a particular behavior; therefore, heuristics scanners cannot detect it.
  2. Lives in your computer's RAM. Thus, it is also known as memory-based malware.
  3. Uses processes that are native to the operating system you are using in order to carry out the attack.
  4. May be paired with other types of malware.
  5. May be able to circumvent application whitelisting, a process that allows only approved applications to be installed on a machine. Fileless malware takes advantage of approved applications that are already on your system.

How Does Fileless Malware Work?

There are many techniques that attackers might use to launch a fileless attack. For example, you might see a banner ad and click on it, not knowing it’s a “malvertisement.” You then get redirected to a malicious site (that seems legitimate) that loads Flash, which is, unfortunately, riddled with vulnerabilities. Flash utilizes the Windows PowerShell Tool to execute commands using the command line while it is running in memory. PowerShell then downloads and executes malicious code from a botnet or other compromised server that looks for data to send to the hackers.

Who are the Most Common Targets of Cyberattacks Involving Fileless Malware?

Most attacks that are being reported involve organizations in the financial industry. In February 2017, it was reported that fileless malware breached the networks of at least 140 banks and financial companies in at least 40 countries. Because fileless malware is very difficult to detect, that number could actually be much higher.

Fileless malware is on the rise. 42% of companies surveyed by the Ponemon Institute reported experiencing at least one fileless malware attack in 2017. Respondents also said that around 30% of all attacks were fileless attacks; furthermore, 77% of all successful attacks were fileless.

The Ponemon Institute estimates that fileless attacks and the laxity of endpoint security is likely to cost companies as much as $5 million. Experts believe that the rise in these types of attacks is influenced by the fact that fileless malware is readily available in project repositories and even included in Angler and other exploit kits. Some cybercriminals are also offering fileless malware attacks as a service.

Signs of Fileless Malware Attacks

While there are no new files installed or typical telltale behavior that would make a fileless malware attack obvious, there are some warning signs to watch for. One is unusual network patterns and traces, such as your computer connecting to botnet servers. Look for signs of compromise in system memory as well as other artifacts that may have been left behind from malicious code.

Best Practices for Fileless Malware Protection

Here are some things that you can do to avoid getting infected by fileless malware or to limit your exposure if you do get infected:

  • Keeping your software current and patches up to date.
  • Adopting the best practices for using and securing PowerShell.
  • Disabling services and program features that you do not use.
  • Uninstalling applications that you are not using or are not important to your work.
  • Making sure that you have endpoint security, and securing each of these devices, including remote and mobile devices, to protect your network.
  • Restricting privileges you give to an admin user, or granting only the privileges that are necessary for a user to do his or her job.
  • Monitoring your network traffic and checking activity logs.
  • Making sure end-users know how to be secure and safe when connecting to the Internet or the network. Security training provided to end-users can go a long way in avoiding fileless malware infections.
  • Changing passwords once infection is made known and after successful disinfection.

Fileless malware attacks place value on stealth, rather than persistence, though the flexibility of the attack to pair with other malware allows it to have both. The Ponemon Institute survey found that these memory-based attacks were 10 times more likely to succeed than file-based malware. Organizations should create a strategy, including both endpoint security solutions and employee training, to combat against these threats.