Owlglass

Fileless Malware

What is Fileless Malware?

Traditionally, antivirus and other endpoint security products have focused on files (executables) to detect and prevent malware. There are several advantages to this. Files can be hashed, queried in reputation services, examined by both static analysis and machine learning, and easily excluded for false detections.

This is a problem for hackers: if the malware’s signature is detected two days after release, the attacker’s ROI (return on investment) may be significantly less than expected, or even negligible.

Fileless malware is malicious code that does not require using an executable file on the endpoint’s file system besides those that are already there. It is typically injected into some running process and executes only in RAM. This makes it far more difficult for traditional antivirus software and other endpoint security products to detect or prevent because of the low footprint and the absence of files to scan. These often utilize system processes available and trusted by the OS. Examples include:

  • VBScript
  • JScript
  • PowerShell
  • Windows Management Instrumentation (WMI)
  • Batch files
  • Mshta and rundll32 (or other Windows signed files capable of running malicious code)

Malware hidden within documents is also considered fileless. Although such data files are not allowed to run code, there are vulnerabilities in Microsoft Office and PDF readers that adversaries can exploit to obtain code execution. For example, an infected document could trigger a malicious PowerShell command. There are also a few built-in functionalities that allow code execution within documents, like macros and DDE attack.

How Does Fileless Malware work?

The most common form of fileless malware in the wild is when a victim clicks on a spam link within an email or fraudulent website. That link or website then loads the Flash application and implements a relevant exploit in order to infect the user’s machine. Afterward, the malware uses shellcode in order to run a command that allows it to both download and execute the payload solely within memory.

Characteristics

This type of malicious software makes use of programs that are already on the computer. Its behavior can’t be detected by heuristics scanners and it has no identifiable code or signature.

Additionally, fileless malware resides within the memory of the system.

In order to function, it takes advantage of the processes of the infected operating system. More advanced fileless malware can also be combined with other types of malware to facilitate complex cyberattacks. It can even circumvent both whitelisting and sandboxing under the right circumstances.

Stages of a Fileless Malware Attack

Such attacks function in a fairly unique way:

Malware gains access to the machine

oftentimes with a phishing email or social engineering tactic, or perhaps compromised credentials

The program establishes persistance

implementing a backdoor

data exfiltration

Common Fileless Malware Techniques

Memory resident malware

By using the memory space of a real Windows file, attackers can load malicious code that lies dormant until activated. The fileless aspect is that the malware can’t be detected by standard file-scanning antivirus software.

Rootkits

Because rootkits exist on the kernel rather than in a file, they have powerful abilities to avoid detection. They are 100% fileless, but fit into this category as it evolves.

Windows Registry Malware

Like in the example mentioned above, these attacks takes advantage of the Windows Registry database that stores low-level settings for various applications. The malware relies on code executed through a file, but this file is set to self-destruct after execution, allowing the malware to persist as fileless.

False credentials

As the name suggests, this type of attack involves using compromised credentials from a legitimate user (aka – stolen username and password). After the hacker has gained access to the system, they then implement shellcode in order to facilitate their attack on the machine.

In extreme cases, they may even place code within the registry in order to establish ongoing access to the computer.

Fileless ransomware

For those who are unfamiliar with this type of malware, ransomware is a malicious program that hackers use in order to extort money from their victims. They often encrypt sensitive data and threaten to delete it unless a certain amount of money is paid, often via cryptocurrency.

When this type of fileless attack occurs, hackers are able to carry out the attack without ever writing to the disk of the machine. This makes it difficult to discern until it’s too late.

Exploit kits

Threat actors use a collection of tools known as exploit kits in order to take advantage of vulnerabilities on a victim’s computer. These attacks generally begin as a typical fileless malware attack would, meaning they often convince the user to click on a fraudulent link.

Once the program is able to infiltrate the machine, the exploit kit can scan the system to determine vulnerabilities to take advantage of and then come up with a specific set of exploits to deploy. Oftentimes, the malware will go undetected and gain extensive access to the system and data.

The problem

One of the reasons fileless malware is so compelling is that security products cannot just block the system files or software that are utilized in these kinds of attack. For example, PowerShell: More importantly, from a defensive point of view, blocking it would be futile: There are many public sources explaining how to bypass the PowerShell execution policy, and other ways to use it that bypass the PowerShell.exe block. To name a few:

  • Run PowerShell with dlls only, with a simple rundll32 command using PowerShdll
  • Convert PowerShell scripts into other EXE files, with tools like PS2EXE
  • Use malware that utilizes its own copy of PowerShell.exe or modifies the local PowerShell to avoid recognition of PowerShell by security products
  • Embed a PowerShell script in the pixels of a PNG file and generate a one-liner to execute it using Invoke-PSImage

Blocking MS Office Macros

In an attempt to eliminate this attack vector, Microsoft added an option to disable macros as a site setting (starting in Office 2016). However, most environments still allow them, so security vendors have mainly tackled this in two ways:

  • Block macros across the board – this enforces the same restrictions being offered by Microsoft for organizations that can do without macros
  • Extract the macro code for static analysis or reputation checks – this can work in some cases. However, the shortcoming of this approach is that such code is extremely difficult to classify and detect within a tolerable false positive rate, especially for never-seen-before malicious macros. In addition, very few repositories of benign and malicious code exist. Another option is looking for common functions typically found in attacks, but again these are variable and not widely-catalogued

Server-Side Detection

Some products use agent-side monitoring only and make the decision on the server or in the cloud. This approach has the same disadvantages as any detection that does not happen on the endpoint. Mainly, in order to work, it requires connectivity and prevention is impossible because the agent has to wait for the server to respond before acting.

Detection

Behavior, not identity

The key is to look at the behavior of processes executing on the endpoint rather than inspecting the files on the machine. This is effective because, despite the large and increasing number of malware variants, they operate in very similar ways. The number of malware behaviors is considerably smaller than the number of ways a malicious file might look, making this approach suitable for prevention and detection.

Although SentinelOne uses multiple engines, including static and behavioral AI, the behavioral approach is extremely good at detecting and preventing this type of attack because it is agnostic regarding the attack vector.

The effectiveness of this approach is demonstrated in examples like the WannaCry campaign, where SentinelOne was able to defend customers before the ransomware had been seen in the wild.