The future of client-side malware attacks is fileless. And it would appear the future has arrived with a growing number of attacks using fileless or in-memory malware to pose a threat to business that’s increasingly difficult to neutralize.
“There has been an unequivocal uptick in the use of fileless malware as a threat vector,” said Kevin Epstein, vice president of threat operations at Proofpoint. “We have seen more fileless malware since the beginning of 2017 than we saw in all of 2016 and 2015 combined.”
As the name suggests, fileless malware infects targeted computers leaving behind no artifacts on the local hard drive, making it easy to sidestep traditional signature-based security and forensics tools. During the past year, fileless attacks have been on the rise, and by Proofpoint’s estimates, pose a larger risk to businesses than commodity malware attacks. Epstein said fileless attacks will soon overtake traditional write-to-disk attacks if they haven’t already.
The technique, where attackers hide their activities in a computer’s random-access memory and use a native Windows tools such as PowerShell and Windows Management Instrumentation (WMI), isn’t new. Sophisticated attacks advanced adversaries were first spotted using fileless malware several years ago (PDF). But since then, there has been a steady rise in the numbers of attacks, according to experts.
Last June, fileless attacks were suspected in the hack the Democratic National Committee as a way to penetrate computer systems, according to Carbon Black. Earlier this year, Kasperky Lab researchers reported cybercriminals used fileless, memory-based malware to carry out attacks on nearly 140 enterprises worldwide. And just over the last few months there have been reports of dozens of fileless malware attacks.
Conventional malware isn’t going anywhere anytime soon, said Edmund Brumaghin, threat researcher with Cisco Talos. But he said, the increase in fileless attacks isn’t seeing a corresponding response on the defensive side because only a minority of organizations are running memory-analysis tools. “From the perspective of an attacker, that’s opportunity to take advantage of while they still can,” Brumaghin said.
No Files Left Behind
The way fileless malware works is an adversary first needs to run code in the targeted system’s random-access memory. Attackers accomplish this in a number of different ways such as exploiting vulnerabilities in browsers and associated programs (Java, Flash or PDF readers), or via a phishing attack that entices a victim to click on an attachment.
“There are binary holes and human holes. But the most common entry point we have seen for fileless malware is an email with an attached file. Or human gullibility,” Epstein said.
In fileless malware attack scenarios, no files are dropped on the targeted system. Rather code runs in the computer’s memory and calls on programs already on Windows systems such as PowerShell and Windows Management Instrumentation (WMI). Using these programs, attackers gain a foothold on systems to carry out a quick theft of data (usually application credentials found in memory), or establish a persistence on a machine by leaving a backdoor connection to a remote command and control server. Once in, an attacker can stay hidden in memory as it can traverses from one process to another looking for new opportunities and places to hide.
However, these type of attacks have one big drawback: When the application is closed or system is turned off, the in-memory attack ends.
To work around those limitations, attackers often will traverse from one application to another. And in some cases, PowerShell will be used to open an application such as Notepad or Calculator in the background, hidden from the user, so it can run in one of those application’s memory footprint. Another means of gaining persistence is by loading a PowerShell script that instructs the targeted computer to reconnect to the attacker’s command and control each time the PC started. However, tampering with the Windows registry is a technique that increases an attacker’s likelihood in being detected.