Fileless Malwares
A fileless malware is a special type of malware that abuses and exploits legitimate programs to infect the system. It does not rely on executing or downloading some file and then infecting, thus leaving no footprint and making it harder to detect and remove.
It targets the programs and applications present in the system’s RAM and abuses their functionality to infect the system.
Anatomy of a Fileless Malware Attack
Fileless malwares fall into the category of Low-Observable-Characteristics (LOC) and Living Off the Land (LOL) attacks, which are a type of stealth attacks that evade most of the security solutions and makes digital forensics and incident response a hell of a job. Fileless malwares do not have a signature attack pattern and are not associated with any particular attack vector. They may exploit a zero-day vulnerability in an Operating System or inject some malicious code into the memory. The most commonly exploited programs are listed in LOLBins, which includes Windows PowerShell, Microsoft Office macros, Windows Management Instrumentation (WMI) to list a few. The principle of operation of such malwares is simple: “Use a legitimate activity to mask an illegitimate activity.”
Let us consider the simplest attack scenario, where the victim is a typical computer user with no sense of computer security whatsoever. The victim browses to a malicious website, the website asks the user to grant permission to the browser to load JavaScript or Flash. As soon as the user grants the permission, the malware injects itself into the system memory, by exploiting any of the browser’s system calls and the attacker gets the shell of the victim and the victim keeps on doing his work unaware of what has happened at the backend.
Browser Exploitations and Fileless Intrusions
In recent times, web browsers have been the target of most fileless attacks, because of the fact that web browsers are usually installed on every system and the attacker can very easily target a user using a web browser. The attacker has to find a command in the browser’s application code, a function or a method that uses system calls, and he can prepare an exploit code by injecting his own shellcode and abusing the system calls.
Let us consider the example of MS12–063. It was disclosed in 2012 and affects all versions of Internet Explorer prior to IE 10. There’s a dependency of the exploit that the target system should have java installed on the system. This exploit abuses the “execCommand” system call of Internet Explorer, and uses Java Return Object Programming (ROP) to achieve Remote Code Execution.
Detection Analysis of a Fileless Malware
As no traditional malware is used, therefore it becomes difficult for end-point security solutions to detect the attack, as there is no signature that an antivirus would detect. This type of malwares resides almost completely in the memory and use legitimate processes and system programs to propagate. This makes it challenging for security analysts to decide which application is being used for a benign activity and which is not.
How to Defend Against Fileless Malware Attacks
- Frequently check and detect PowerShell, CMD and other benign applications for unusual activities when not in use.
- Conduct regular security assessments on the network and the system.
- Remove the administrative use of internet browsers, PowerShell etc. by restricting access via the Windows Group Policy.
- Restrict internet browsers and flash players to launch interpreters.
- Install and EDR and MDR and turn on strict monitoring for any anomalous behavior.
