Fileless malware can quickly gain full access to network, computer and even browser activity (including login credentials) without the victim knowing.
The Rise of Fileless Malware
Many of the early infectious programs that we now know as Malware were initially written as experiments or pranks. With the expansion of broadband internet, these infectious programs became more
frequently designed for profit. Since the late 1990’s, many widespread computer viruses, trojans and worms have been designed to take control of end users’ computers to steal business, personal,
and financial information. In recent years, these infections have evolved into ransomware, spyware, click fraud, and distributed denial-of-service attacks used for profit and sabotage.
Malware is typically spread by an executable program being copied onto the victim’s computer. The executable file is typically disguised in an infected file attachment such as a Word document, PDF or JPEG,
but can also be spread by external media devices, mobile phones and browser “drive by” attacks. Once the malware is executed the instructions of the file are loaded into the machines memory, where it can be used to download additional malware or “phone home” to the people that are controlling it. The actual operation of the installation is managed by a separate program which involves a file and writing to the hard disk of the computer. It is that active process that causes the damage and leaves infection “residue” on the host system’s hard drive, even when attempting to avoid detection.
The Difference Between Malware and Fileless Malware
Fileless malware first appeared in 2017. Evolving from successful malware techniques, fileless malware aims to never have its content written to the infected computer’s hard drive. Fileless Malware doesn’t involve a second program downloaded by an installer. Instead, it loads directly into memory as system commands, runs immediately and causes trusted programs installed on the machine to perform maliciously – often continuing to run until the host device is powered down completely. One of the most common methods of delivering a fileless malware attack is though webpages. Since HTML, the formatting
The code for fileless malware is not stored in a file nor installed on the victim’s machine, instead it writes its script into the Registry of Windows, a function of the Windows Operating System that launches programs on startup or on a schedule. Since it does not write any part of its activity to the computer's hard drive, it is very resistant to existing security strategies that incorporate file-based whitelisting,
signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify fraudulent activity following a data breach or security incident.
The response to fileless malware attacks hasn’t come from the anti-malware industry. The targeting of Windows’ services to execute these attacks caused Microsoft to respond with a fix.
Avoiding Fileless Malware Attacks
Defense against any type of malware begins with keeping your software up to date. Microsoft has been very effective in blocking the exploitation of PowerShell and WMI, so insuring Windows machines are up to
date should be a priority.
Microsoft Office software has macros turned off by default, but it is still important to remind employees not to enable macros in attachments. Although Office macros are not a main vector for fileless attacks, the availably to view Office documents online in a browser creates the opportunity to run macros and launch calls to PowerShell or WMI.
Disable Flash for video viewing. On most websites Flash has been replaced with HTML5. Chrome and Firefox both provide the option to block Flash. In Internet Explorer, disabling ActiveX
prevents flash from loading. Microsoft Edge will not accept any Flash code.
Unauthorized use and/or duplication of this material without express and written permission from Pivotal IT is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Pivotal IT with appropriate and specific direction to the original content