What is Fileless Malware?
Fileless malware is not just a specific kind of malware. It has various initial access techniques, various persistence techniques, and various goals. This attack is known for the way it makes it difficult to detect malicious activity.
The way fileless malware makes it difficult to detect is that it does not download and install any malicious file into the victim’s computer. Fileless malware does not use files or use the victim’s own programs. The malicious payload is sometimes hidden in legitimate software or sometimes in a Windows Registry Key.
Fileless malware does its job in memory, so it is not written to disk as common malware does. That’s why antivirus programs cannot detect it easily. It is also difficult to analyze fileless malware since there is no actual malicious file to analyze.
Goals
- Stealing victim’s credentials: Fileless malware may gain the victim’s credentials so that the attack’s scope may enlarge. If the attacker gains the victim’s email credentials, the attacker may use that email account for a phishing campaign. People in the victim’s company will see that the sender’s email account is legitimate, and they may make themselves new victims. This attack can be made by a malicious fileless malware payload that searches files named “password.txt” or “accounts.txt.” If any one of these files is found, it may probably contain the victim’s credentials.
- Lateral movement and gaining persistence: If the victim is an employee, the target may not be him/her. The attacker may want the bigger victim’s from the same company that the first victim works for. The attacker may also want to wait for a more critical time to attack. So, gaining persistence is important for waiting for critical time to attack and attack again and again.
- Stealing victims’ files and data: If the victims are important people or hold important documents for the company that they work for, their documents may be targeted, too. The attacker may aim to steal those files by direct or indirect hacking. Direct hacking is directly accessing the target’s computer. Indirect hacking is accessing another person related to the actual target and making lateral movements to reach the actual target.
- Ransomware fileless malware: Normally, common ransomware uses malware to encrypt the victim’s files and thus demand ransom. However, that malware (ransomware) needs to be written to disk, but that is not the case with fileless malware. Fileless malware inserts its malicious code into the memory or into the legitimate software that the victim uses. The inserted payload encrypts the files and demands ransom from the victim. If there is any encryption tool needed, the tools the victim’s computer already has can be used.
Types of Fileless Malware Attacks
Memory Code Injection
Memory code injection is an attack in which an attacker injects malicious code into a running process’s memory. This allows the attacker to execute arbitrary code with the same permissions as the targeted process. Phishing campaigns are used to infiltrate the victim’s system.
Windows Registry Manipulation
The Windows registry is a hierarchical database that stores configuration information for the operating system and other software installed on a computer. Attackers can use registry manipulation to gain persistent access to a computer, evade security software, and execute malicious code.
Registry manipulation attacks can take many forms. For example, an attacker might add a new registry key that points to a malicious DLL, which will be loaded and executed the next time the computer starts. Also, attackers can wait for victims to enter credentials or write a timing code into the payload to wait for the specific time for the attack.
They could also change an existing registry key to point to a different location, causing legitimate software to load and execute malicious code.
Basically, clicking a file or link is enough for Windows registry manipulation attacks. After the click, malware writes the payload on the Windows registry and disappears.
How Does Fileless Malware Work?
Fileless malware is a type of malicious software that can operate in the memory of a computer without installing itself on the hard drive as a file. This makes it difficult to detect and remove because it does not leave any traces on the system’s file system.
Fileless malware typically uses legitimate tools and applications that are already installed on the system to carry out its malicious activities. For example, it might use Windows PowerShell or the Windows Management Instrumentation (WMI) service to execute its code.
To infect a system with fileless malware, attackers often use social engineering tactics to trick users into clicking on a malicious link or opening a malicious attachment in an email. The malware then uses a known vulnerability in the system to gain access and execute its code in memory.
Once the fileless malware is running in memory, it can perform a variety of malicious activities, such as installing other malware, stealing sensitive data, or taking control of the system. Because it operates in memory and does not leave any files on the system, it can be difficult to detect and remove using traditional security tools.
How Does A Fileless Attack Happen?
A fileless attack happens when an attacker is able to execute malware in the memory of a computer system rather than installing it as a file on the hard drive. This makes it difficult to detect and remove malware files using traditional security tools that typically look for them in the system.
Regardless of the method of delivery, once the fileless malware is executed in memory, it can perform a variety of malicious activities, such as installing other malware, stealing sensitive data, or taking control of the system.
Initial Access Stage
The idea of fileless malware is downloading a malicious payload into the victim’s computer so that the attacker gains access to the victim’s computer. It can be done in various ways. We will examine those ways in two categories: Exploiting vulnerabilities and phishing.
Exploiting Vulnerabilities
Since it is fileless malware, it does not download and install malware just like common malware does. The attacker searches for any vulnerability that provides initial access to the target system. Searching for vulnerability can be done with vulnerability searching tools like Nessus, Burp Suite, or Nmap. Besides using those vulnerability scanners, figuring out which system the victim uses may be enough too. If the attacker knows which system the victim uses, that system can be searched on the web to see whether it has known vulnerabilities. After searching and finding the vulnerability, the attacker tries to exploit that vulnerability. The aim here is reaching to the victim’s computer to inject the malicious payload into the victim’s computer.
Phishing
Phishing is a broad topic and, unfortunately, open to being creative for attackers. It can be done with emails, imitated websites, face-to-face methods, or malicious USBs. It does not have to be technical, but the main idea is to make the victim download the malicious document so that the attacker can execute the malicious payload inside the victim’s computer.
It may seem strange when we talk about phishing and fileless malware together. However, fileless malware is not a file containing malicious code. It is a malicious payload injected into registry keys or legitimate applications in post-exploitation. Therefore, exploitation can be made with files for fileless malware, too.
Phishing emails are emails coming from illegal people aiming to deceive you. These illegal people imitate real people or corporations so that you can trust them and download the file in the attachments, which is actually malicious. This is a traditional and common way to hack people. For more information about phishing emails, click here.
Instead of downloading a file, attackers may persuade you to click a link. That link will redirect you to a website that just looks like the website that you want to go to. They may harvest your credentials there or make you download a malicious file.
Infecting a computer can be made by passing a USB that contains malware. This is a rare version of phishing. However, an APT group named Equation Group, used this. It is important to be suspicious about randomly found USBs, especially in a company.
Persistence Techniques
Gaining persistence prevents the attacker from exploiting the same vulnerability again and again to access the victim’s computer. The attacker needs to hide the payload and create a backdoor to gain persistence so that it will be easy to reach the computer. Of course, if the target computer runs all the time (rarely turned off), there is no need to gain persistence since the attacker won’t need it.
Registry Keys
One way to gain persistence is by adding the payload to the registry keys. The attacker does not have to write the malware to disk so that the malware will not be detected by the antivirus software. Here are some generally used registry keys:
HKEY_CURRENT_USER\ Software \ Microsoft \ Windows \ Current Version \ Run
HKEY_CURRENT_USER\ Software \ Microsoft \ Windows \ Current Version \ RunOnce
HKEY_CURRENT_USER\ Software \ Microsoft \ Windows \ Current Version \ RunServices
HKEY_CURRENT_USER\ Software \ Microsoft \ Windows \ Current Version \ RunServicesOnce
These registry keys run when the user logs on. The attacker inserts a malicious code (in encrypted form) in the data part of one of these registry keys, and when these registry keys are called, malicious code runs. If the attacker wants to run the payload as the computer boots, not regarding which user logs on, then the following registry keys are required to be used. The malicious payload can be added to the data part of these registry keys. You may also want to replace your IP address with other characters to hide it.
HKEY_LOCAL_MACHINE\ Software \ Microsoft \Windows \Current Version \ Run
HKEY_LOCAL_MACHINE\ Software \ Microsoft \Windows \Current Version \ RunOnce
HKEY_LOCAL_MACHINE\ Software \ Microsoft \Windows \Current Version \ RunServices
HKEY_LOCAL_MACHINE\ Software \ Microsoft \Windows \Current Version \ RunServicesOnce
There are more measures that the attacker can take to make the malicious payload more hidden. For example, the attacker can use the LOLBAS project to hide the malicious code in legitimate software. LOLBAS means “Living off the Land Binaries and Scripts.” Living off the Land is an attack type that hides itself in legitimate software. LOLBAS project contains malicious files with legitimate names. Another technique that can be applied as a measure for the attacker is not executing the malicious payload immediately but calling the file containing that malicious payload or calling the file that calls the file containing the malicious payload. This logic can be applied to make the analysts’ life harder.
Injecting Itself into the Victim’s Legitimate Software
Fileless malware injects itself into legitimate software, and by doing that, it can bypass antivirus security because the malicious payload is not written to disk. This is also called “in-memory attacks”. Filelessmalware can do this by exploiting vulnerabilities of applications.
- PowerShell is generally used since it is a trusted application, and it is easy to write a payload on it. The attacker can basically write the malicious payload on it (this is called shellcode injection).
- Fileless malware also injects processes. For example, a legitimate process can be created and stated as suspended. After that, the attacker can inject the malicious payload into the process. It can wait for the victim to enter any credentials.
- Another possible way to inject code is to modify the first lines of a legitimate file. The modification redirects the file to another function which is written by the attacker. So, the legitimate file is redirected to malicious code. The malicious code does its job and returns the legitimate process to the legitimate file from which it comes. So, it seems nothing happened from the perspective of security systems, but actually, the malicious code is run during a process is run.
- There are Windows libraries that can help developers (named DLL). DLLs work on the disk. Filelessmalware loads the DLL into the memory, and some reflective functions are loaded. So, the process does two jobs: Running the malicious payload and running the functions that it requires to do.
- The malicious payload can be injected into the Atom Tables. Atom Tables encode strings so that processes are able to communicate with each other. When a legitimate program calls the AtomTable, the malicious payload will be executed.
How To Protect Against Fileless Malware Attacks?
Since fileless malware attacks do not require any malicious file to play the leading role, it is difficult to detect these kinds of attacks with antivirus software. That is because antivirus software scans suspicious files and puts them into quarantine if necessary. To automatize protection against fileless malware attacks, we need phishing monitoring and behaviour monitoring services. Phishing monitoring watches employees’ emails to see whether there are suspicious attachments. Behaviour monitoring detects whether there is any suspicious activity of a legitimate file in the computer.
Besides monitoring services, there are also measures to be taken beforehand. Because of the attackers gain initial access by exploiting a vulnerability and hiding their malicious payload inside of the legitimate software in the victim’s computer, we need software updated to its latest version. Software updates (especially the security patches) close the newly discovered vulnerabilities. If you do not use it, you can disable PowerShell and WMI since they are mostly target applications to be used by fileless malware.
- Phishing and behaviour monitoring services
- Keeping software up-to-date
- Disabling PowerShell and WMI, if they are not used
How Can Brandefense Help You?
Brandefense Phishing Monitoring solution helps you to prevent fileless malware attacks by identifying and blocking suspicious websites that may be used to deliver the malware. Our solution uses a combination of techniques, such as analyzing the content of fake URLs, checking for known malicious indicators, and examining the reputation of the company.
We use machine learning algorithms to detect patterns that are indicative of phishing attempts. Once a suspicious domain is detected, the solution can block or flag it for further investigation and prevention of the malware.
Conclusion
There were, are will always be, new security evasion techniques. Fileless malware is one of them. It does not save itself into the disk so that antivirus software does not scan it. EDR solutions usually cannot differentiate legitimate files from malicious files because the fileless malware uses legitimate software. Therefore, security solutions need to have new techniques as well and be updated regularly. A non-technical person needs to regularly update software and be suspicious of unknown emails.