Malware comes in many forms, but the most successful ones are usually fileless. This is probably why organizations are seeing increasing numbers of attacks using fileless malware. According to the 2017 State of Endpoint Security Risk Report by the Ponemon Institute, 54% of companies experienced one or more successful attacks that compromised data and/or IT infrastructure. Of these attacks, 77% utilized exploits or fileless techniques. The report also stated that fileless attacks are almost 10x more likely to succeed than file-based attacks.
What is Fileless Malware?
Fileless malware is also known as zero-footprint, macro attack, or non-malware. What differentiates fileless malware is that it’s exclusively designed to work in-memory (i.e. in RAM) and does not need to install malicious software to the computer’s hard drive. This also means that it leaves no immediate trace of its existence behind, making it hard for traditional antivirus security solutions to detect.
The fileless malware code is usually injected into running processes such as iexplore.exe or javaw.exe, which is then used for the exploit. The common mode of delivery is through a malicious website which the user may have been redirected to after clicking the attacker’s advertisement.
How Fileless Malware Works
The malware code then takes control of default Windows tools, typically PowerShell and Windows Management Instrumentation (WMI), and uses them for the malicious activity. Since these tools are part of the daily workflow of many IT professionals, it is practically impossible to stop employees from using them.
Once inside the system, fileless malware can spread laterally across the network to steal data from your computer or to install other forms of malware to give it persistence, because fileless malware cannot survive a reboot.
Protecting Your Endpoints Against Fileless Malware
Fileless malware is tough to detect because it does not have a payload file to infect the system. This makes it almost impossible for antivirus software to generate a signature definition based on the malware’s characteristics. Also, the fileless malware uses the system’s own commands to execute the attack, making it difficult to detect based on behavior.
Fileless malware has been used in the past to gain entry in special-purpose systems like banking ATMs and retail POS terminals. Forensic reports found that fileless malware had a role to play in the famous 2014 Target store chain hack and other attacks on banking systems. The uptick in fileless malware attacks raises serious concerns for endpoint security, especially for enterprises which use customer-facing endpoints like ATMs, ticketing counters, self-service kiosks, etc.
To eliminate the threat of fileless malware, businesses need to change their security strategy from reactive (signature-based) to proactive. This can be achieved by using security solutions that grant administrators complete visibility and control right at the process-level to effectively lock-down and make the systems tamper-resistant. Taking a kernel-level approach combined with contextual behavior analysis of suspicious activities (processes, child processes) can ensure that only known whitelisted processes – including in-memory processes – are allowed. This not only protects end-points and servers against fileless malware, but also protects from phishing, zero-day exploits, ransomware, and APT lateral threats.
See how a robust, signature-less approach to protecting endpoints and servers, including legacy and unpatched systems and special purpose terminals, helps win the battle against known and unknown cyber threats.