Fighting Back Against Fileless Malware

For anyone not familiar with fileless malware attacks, they are a malicious code execution technique that operates completely within process memory. As the name suggests, there are no files dropped onto a hard drive, which is precisely why fileless malware attacks are able to escape detection-based cybersecurity solutions effectively. This includes everything from next-generation anti-virus (NGAV) to endpoint protection platforms (EPP) and current solutions, including EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), and MDR (Managed Detection and Response).

Fileless attack techniques are widespread—according to Aqua Security’s 2023 Cloud Native Threat Report, the number of fileless or modern battlefield attacks that exploit existing software, applications, and protocols has surged 1,400 percent in the last year.

Detection-Based Security Solutions Fall Short

To understand why detection-based security solutions such as EDRs miss the mark, it’s best to look at the different techniques they use to identify and detect possible malicious activity. The first is static analysis, which examines files, code, and binaries to identify possible threats. Static analysis moves quickly and can detect cyberattacks early on without activating malicious code and damaging systems. But with fileless malware, there is no static content to analyze, and that’s why EDRs struggle to detect the presence of this malware.

Next comes dynamic analysis, which examines software and file behavior during execution. Dynamic analysis is a far better alternative when looking to identify fileless malware, but it, too, is limited for two reasons.

First, it is resource-intensive. This is why dynamic analysis is done primarily in a controlled environment like a sandbox. Cybercriminals respond by deploying sandbox-aware malware, which can often lead to legitimate threats being labeled as legitimate operations.

Dynamic analysis monitors behavior during execution.

Fileless malware that operates directly in memory can sneak through without detection if the analysis tool isn’t monitoring memory-related activities or if the malware is using sophisticated techniques to hide its presence in memory. Then, EDRs rely on behavioral analysis to identify threats by establishing a baseline of normal endpoint behavior and detecting anomalies. This involves monitoring system processes, API calls, user actions, and other activities. However, threat actors are increasingly deploying evasive techniques to bypass EDRs, including unhooking, direct/indirect system calls, exploitations of DLLs, and others. Many of these techniques are present in fileless attacks.

Types Of Fileless Techniques

One of the best ways to fight fileless is to understand the different techniques that are being used. Some of the more prevalent techniques in use today include:

Windows Registry manipulation: In this instance, the code is usually written and executed directly from the registry by a regular Windows process. This helps to achieve goals like persistence, bypassing allowlisting, and static analysis evasion.

Memory code injection: There are a variety of code injection techniques used today. Some include process hollowing, local shellcode injection, and reflective loading. In these instances, the malware resides within process memory while processes are running on the system. It then distributes and re-injects itself into legitimate processes that are vital to normal, day-to-day Windows operational activity.

Script-based: This is not a 100 percent fileless technique since it uses a file for the later in-memory execution of malware. Therefore, script-based attacks create similar issues for detection solutions, making it a preferred method for maintaining stealth.

Packers: Packers are a way to compress files and are leveraged by cybercriminals in a variety of ways. These include signature re-creation, dynamic detection evasion, and, as a code injection method, rewriting an existing executable and recreating its code after decryption and remapping the new functionality.

While packing is used by both file-based and fileless malware, the detonation/unpacking process is a fileless process. Malware often hides its real API and functionality by encrypting the functions and execution of a position-independent code (shellcode/loader/decryptor).

This code doesn’t use much of the declared API and usually performs reflective loading of the next stage’s malicious library. We call this technique fileless because it runs malicious code created purely in memory without writing to the disk. A lot of known malware heavily uses packing and local code injection techniques to evade static analysis, including Emotet, Revil, Qakbot, IceID, Vidar, and others.

Last year, fileless attack techniques like process injection and PowerShell exploitation were among the most commonly reported MITRE ATT&CK techniques. The rise of fileless malware attack chains is something security teams need to take extremely seriously.

Undetectable Threats Extend Dwell Times

While there are many different types of fileless malware attacks, there are some common traits shared by all. Most notably, they are extremely hard to detect, and the time it takes for them to be discovered is growing, which explains why they have become increasingly more popular within the cybercriminal community.

Between 2020 and 2021, the average dwell time for a threat grew by 36 percent, and the median dwell time for attacks that lead to ransomware deployment or data exfiltration is 34 days. And that’s just the median number of days. We’ve identified examples of fileless malware that remain at a remote endpoint for months, just waiting to act before being detected.

Fileless Malware Attacks Do More Damage

It should not surprise anyone when I say that the fileless attacks are very effective—research from the Ponemon Institute found that they are ten times more likely to succeed than other attacks. They are also more apt to cause greater devastation than other attacks.

A great example is the Irish Health Service Executives (HSE). In 2021, the HSE was targeted by the Conti ransomware group, which utilized a phishing email with a malicious Excel macro that was attached to penetrate an endpoint in the HSE’s network. From there, with the help of a compromised version of the pen-testing tool Cobalt Strike, Conti operatives moved laterally through the network. It wasn’t until eight weeks later that the cybercriminals deployed ransomware.

The impact was devastating. The Conti ransomware group stole 700GB of unencrypted data. This included protected health information (PHI) that began to pop up on the dark web. And that’s not all. The Conti ransomware compromised at least 80,000 endpoints and shut down non-urgent operations across Ireland that service more than five million people. As a result, hospitals were forced to use a pen-and-paper operational model that hadn’t been used since the mid-1990s. It wasn’t until the ransomware group released a decryption key one week later that these issues were resolved.

How to Reduce Fileless Malware Attack Risk

Naturally, organizations do not want to become the next HSE, yet as these fileless malware attacks continue to grow, security teams that count on detection-based tools to protect them are significantly exposed. Fighting back starts with adopting a zero-trust approach where they segment networks and deploy strict access controls. These steps can stop fileless threats from accessing and exploiting permissionless data flows.

Next comes Automated Moving Target Defense (AMTD), which today is one of the only technologies capable of reliably stopping fileless attacks and other advanced threats. This preventive technology shuts down the attack pathways threats used at the application level. For anyone not familiar with AMTD, it prevents threats without needing to detect them. It changes a business’s runtime environment randomly, which results in an attack surface that is highly unpredictable. At the same time, AMTD also leaves decoy traps where any attacks have been previously.

As for trusted applications, these are updated each time the memory environment is morphed, while any code attempting to execute against a decoy is terminated and locked so teams can conduct an extensive forensic analysis.

Oren T. Dvoskin is the Product Marketing Director at Morphisec.

Related articles: