What is Fileless Malware?
Fileless malware, also known as a non-malware, zero-footprint, or macro attack, differs from traditional malware in that it doesn’t need to install malicious software to infect the victim’s machine. Instead, it takes advantage of existing vulnerabilities on your machine. It exists in a computer’s RAM and uses common system tools to inject malicious code into normally safe and trusted processes such as javaw.exe or iexplore.exe to execute an attack.
Because fileless malware does not require a file download, it can be quite difficult to prevent, detect, and remove. The good news is that if you reboot your machine, you can halt the breach. This is because RAM only keeps its data when your computer is on. Once you turn it off, the infection is no longer live. However, hackers can still use that vulnerability to steal data from your computer or even install other forms of malware to give it persistence. For example, hackers can set up scripts that run when the system restarts to continue the attack.
What are the Characteristics of Fileless Malware?
Fileless malware:
How Does Fileless Malware Work?
There are many techniques that attackers might use to launch a fileless attack. For example, you might see a banner ad and click on it, not knowing it’s a “malvertisement.” You then get redirected to a malicious site (that seems legitimate) that loads Flash, which is, unfortunately, riddled with vulnerabilities. Flash utilizes the Windows PowerShell Tool to execute commands using the command line while it is running in memory. PowerShell then downloads and executes malicious code from a botnet or other compromised server that looks for data to send to the hackers.
Who are the Most Common Targets of Cyberattacks Involving Fileless Malware?
Most attacks that are being reported involve organizations in the financial industry. In February 2017, it was reported that fileless malware breached the networks of at least 140 banks and financial companies in at least 40 countries. Because fileless malware is very difficult to detect, that number could actually be much higher.
Fileless malware is on the rise. 42% of companies surveyed by the Ponemon Institute reported experiencing at least one fileless malware attack in 2017. Respondents also said that around 30% of all attacks were fileless attacks; furthermore, 77% of all successful attacks were fileless.
The Ponemon Institute estimates that fileless attacks and the laxity of endpoint security is likely to cost companies as much as $5 million. Experts believe that the rise in these types of attacks is influenced by the fact that fileless malware is readily available in project repositories and even included in Angler and other exploit kits. Some cybercriminals are also offering fileless malware attacks as a service.
Signs of Fileless Malware Attacks
While there are no new files installed or typical telltale behavior that would make a fileless malware attack obvious, there are some warning signs to watch for. One is unusual network patterns and traces, such as your computer connecting to botnet servers. Look for signs of compromise in system memory as well as other artifacts that may have been left behind from malicious code.
Best Practices for Fileless Malware Protection
Here are some things that you can do to avoid getting infected by fileless malware or to limit your exposure if you do get infected:
Fileless malware attacks place value on stealth, rather than persistence, though the flexibility of the attack to pair with other malware allows it to have both. The Ponemon Institute survey found that these memory-based attacks were 10 times more likely to succeed than file-based malware. Organizations should create a strategy, including both endpoint security solutions and employee training, to combat against these threats.