Brandefense Academy
Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowJANUARY 9, 2023
Fileless malware is not just a specific kind of malware. It has various initial access techniques, various persistence techniques, and various goals. This attack is known for the way it makes it difficult to detect malicious activity.
The way fileless malware makes it difficult to detect is that it does not download and install any malicious file into the victim’s computer. Fileless malware does not use files or use the victim’s own programs. The malicious payload is sometimes hidden in legitimate software or sometimes in a Windows Registry Key.
Fileless malware does its job in memory, so it is not written to disk as common malware does. That’s why antivirus programs cannot detect it easily. It is also difficult to analyze fileless malware since there is no actual malicious file to analyze.
Memory code injection is an attack in which an attacker injects malicious code into a running process’s memory. This allows the attacker to execute arbitrary code with the same permissions as the targeted process. Phishing campaigns are used to infiltrate the victim’s system.
The Windows registry is a hierarchical database that stores configuration information for the operating system and other software installed on a computer. Attackers can use registry manipulation to gain persistent access to a computer, evade security software, and execute malicious code.
Registry manipulation attacks can take many forms. For example, an attacker might add a new registry key that points to a malicious DLL, which will be loaded and executed the next time the computer starts. Also, attackers can wait for victims to enter credentials or write a timing code into the payload to wait for the specific time for the attack.
They could also change an existing registry key to point to a different location, causing legitimate software to load and execute malicious code.
Basically, clicking a file or link is enough for Windows registry manipulation attacks. After the click, malware writes the payload on the Windows registry and disappears.
How Does Fileless Malware Work?
Fileless malware is a type of malicious software that can operate in the memory of a computer without installing itself on the hard drive as a file. This makes it difficult to detect and remove because it does not leave any traces on the system’s file system.
Fileless malware typically uses legitimate tools and applications that are already installed on the system to carry out its malicious activities. For example, it might use Windows PowerShell or the Windows Management Instrumentation (WMI) service to execute its code.
To infect a system with fileless malware, attackers often use social engineering tactics to trick users into clicking on a malicious link or opening a malicious attachment in an email. The malware then uses a known vulnerability in the system to gain access and execute its code in memory.
Once the fileless malware is running in memory, it can perform a variety of malicious activities, such as installing other malware, stealing sensitive data, or taking control of the system. Because it operates in memory and does not leave any files on the system, it can be difficult to detect and remove using traditional security tools.
A fileless attack happens when an attacker is able to execute malware in the memory of a computer system rather than installing it as a file on the hard drive. This makes it difficult to detect and remove malware files using traditional security tools that typically look for them in the system.
Regardless of the method of delivery, once the fileless malware is executed in memory, it can perform a variety of malicious activities, such as installing other malware, stealing sensitive data, or taking control of the system.
The idea of fileless malware is downloading a malicious payload into the victim’s computer so that the attacker gains access to the victim’s computer. It can be done in various ways. We will examine those ways in two categories: Exploiting vulnerabilities and phishing.
Since it is fileless malware, it does not download and install malware just like common malware does. The attacker searches for any vulnerability that provides initial access to the target system. Searching for vulnerability can be done with vulnerability searching tools like Nessus, Burp Suite, or Nmap. Besides using those vulnerability scanners, figuring out which system the victim uses may be enough too. If the attacker knows which system the victim uses, that system can be searched on the web to see whether it has known vulnerabilities. After searching and finding the vulnerability, the attacker tries to exploit that vulnerability. The aim here is reaching to the victim’s computer to inject the malicious payload into the victim’s computer.
Phishing is a broad topic and, unfortunately, open to being creative for attackers. It can be done with emails, imitated websites, face-to-face methods, or malicious USBs. It does not have to be technical, but the main idea is to make the victim download the malicious document so that the attacker can execute the malicious payload inside the victim’s computer.
It may seem strange when we talk about phishing and fileless malware together. However, fileless malware is not a file containing malicious code. It is a malicious payload injected into registry keys or legitimate applications in post-exploitation. Therefore, exploitation can be made with files for fileless malware, too.
Phishing emails are emails coming from illegal people aiming to deceive you. These illegal people imitate real people or corporations so that you can trust them and download the file in the attachments, which is actually malicious. This is a traditional and common way to hack people. For more information about phishing emails, click here.
Instead of downloading a file, attackers may persuade you to click a link. That link will redirect you to a website that just looks like the website that you want to go to. They may harvest your credentials there or make you download a malicious file.
Infecting a computer can be made by passing a USB that contains malware. This is a rare version of phishing. However, an APT group named Equation Group, used this. It is important to be suspicious about randomly found USBs, especially in a company.
Gaining persistence prevents the attacker from exploiting the same vulnerability again and again to access the victim’s computer. The attacker needs to hide the payload and create a backdoor to gain persistence so that it will be easy to reach the computer. Of course, if the target computer runs all the time (rarely turned off), there is no need to gain persistence since the attacker won’t need it.
One way to gain persistence is by adding the payload to the registry keys. The attacker does not have to write the malware to disk so that the malware will not be detected by the antivirus software. Here are some generally used registry keys:
HKEY_CURRENT_USER\ Software \ Microsoft \ Windows \ Current Version \ Run
HKEY_CURRENT_USER\ Software \ Microsoft \ Windows \ Current Version \ RunOnce
HKEY_CURRENT_USER\ Software \ Microsoft \ Windows \ Current Version \ RunServices
HKEY_CURRENT_USER\ Software \ Microsoft \ Windows \ Current Version \ RunServicesOnce
These registry keys run when the user logs on. The attacker inserts a malicious code (in encrypted form) in the data part of one of these registry keys, and when these registry keys are called, malicious code runs. If the attacker wants to run the payload as the computer boots, not regarding which user logs on, then the following registry keys are required to be used. The malicious payload can be added to the data part of these registry keys. You may also want to replace your IP address with other characters to hide it.
HKEY_LOCAL_MACHINE\ Software \ Microsoft \Windows \Current Version \ Run
HKEY_LOCAL_MACHINE\ Software \ Microsoft \Windows \Current Version \ RunOnce
HKEY_LOCAL_MACHINE\ Software \ Microsoft \Windows \Current Version \ RunServices
HKEY_LOCAL_MACHINE\ Software \ Microsoft \Windows \Current Version \ RunServicesOnce
There are more measures that the attacker can take to make the malicious payload more hidden. For example, the attacker can use the LOLBAS project to hide the malicious code in legitimate software. LOLBAS means “Living off the Land Binaries and Scripts.” Living off the Land is an attack type that hides itself in legitimate software. LOLBAS project contains malicious files with legitimate names. Another technique that can be applied as a measure for the attacker is not executing the malicious payload immediately but calling the file containing that malicious payload or calling the file that calls the file containing the malicious payload. This logic can be applied to make the analysts’ life harder.
Fileless malware injects itself into legitimate software, and by doing that, it can bypass antivirus security because the malicious payload is not written to disk. This is also called “in-memory attacks”. Filelessmalware can do this by exploiting vulnerabilities of applications.
Since fileless malware attacks do not require any malicious file to play the leading role, it is difficult to detect these kinds of attacks with antivirus software. That is because antivirus software scans suspicious files and puts them into quarantine if necessary. To automatize protection against fileless malware attacks, we need phishing monitoring and behaviour monitoring services. Phishing monitoring watches employees’ emails to see whether there are suspicious attachments. Behaviour monitoring detects whether there is any suspicious activity of a legitimate file in the computer.
Besides monitoring services, there are also measures to be taken beforehand. Because of the attackers gain initial access by exploiting a vulnerability and hiding their malicious payload inside of the legitimate software in the victim’s computer, we need software updated to its latest version. Software updates (especially the security patches) close the newly discovered vulnerabilities. If you do not use it, you can disable PowerShell and WMI since they are mostly target applications to be used by fileless malware.
Brandefense Phishing Monitoring solution helps you to prevent fileless malware attacks by identifying and blocking suspicious websites that may be used to deliver the malware. Our solution uses a combination of techniques, such as analyzing the content of fake URLs, checking for known malicious indicators, and examining the reputation of the company.
We use machine learning algorithms to detect patterns that are indicative of phishing attempts. Once a suspicious domain is detected, the solution can block or flag it for further investigation and prevention of the malware.
There were, are will always be, new security evasion techniques. Fileless malware is one of them. It does not save itself into the disk so that antivirus software does not scan it. EDR solutions usually cannot differentiate legitimate files from malicious files because the fileless malware uses legitimate software. Therefore, security solutions need to have new techniques as well and be updated regularly. A non-technical person needs to regularly update software and be suspicious of unknown emails.
Take control of your digital security with an exclusive demo of our powerful threat management platform.
