In warfare, stealth is an attacker’s best friend. You can’t fight what you can’t see. Worse still, you have no defenses if you don’t even know you’re under attack.
That’s why cyber attackers have been shifting their tactics, using fileless attacks that don’t drop malware on a victim’s system in order to work, and so easily evade detection. They use tools already installed on computers or run simple scripts and shellcode in memory, for example, via Windows Power Shell. The malicious scripts are also frequently hidden in the Windows Registry and Windows Management Instrumentation (WMI).
This so-called “living off the land” approach makes use of capabilities built into operating systems to attack victims. Because the exploits run in memory rather than residing on a hard disk, they’re extremely difficult to detect using traditional anti-malware tools like virus signatures.
As a result, they’re becoming increasingly popular. The Symantec Internet Security Threat Report (ISTR) “Living off the Land and Fileless Attack Techniques” notes that Symantec has found embedded malicious scripts in the Windows Registries of approximately 5,000 computers per day, and that during the first seven months of 2017, had blocked around 4,000 attacks on endpoints per day by the fileless Trojan.Kotver trojan.
A study by the Ponemon Institute found that 29 percent of the attacks organizations faced during 2017 were fileless, up from 20 percent in 2016. That is expected to rise to 35 percent in 2018.
Security experts say fileless attacks allow hackers to remain concealed and make it more difficult for victims to remediate all of their machines, allowing attackers to stay alive in an environment longer.
Portrait of Fileless Attacks
One of the most well-known hacks was a fileless one, when documents were stolen from the Democratic National Committee (DNC) and released in an attempt to influence the 2016 presidential election. Phishing emails containing malicious links were sent to DNC staff. When the links were clicked, the fileless attack commenced using PowerShell and WMI.
“Phishing links and drive-by websites are frequently how fileless attacks are launched,” says Charles Gaughf, Security Lead with (ISC)², a cyber security non-profit organization.
A less well-known fileless attack hit more than 140 banks and financial institutions in over 40 countries early in 2017. It worked its way into systems via an unpatched server vulnerability. Once there, it used Powershell scripts and the Windows Registry to load malicious code directly into memory.
That code then used standard Windows utilities, including the command lines utilities NETSH and SC, to give attackers remote access to the infected systems. They used remote access to install memory-resident ATMitch malware on ATMs and used it to order ATMs to dispense cash, which they grabbed and absconded with. No files were stored on any systems, making it very difficult to detect.
Fileless Attack Families
Knowing your enemy is always a good thing. So, to help you protect yourself, here’s the rundown on the four broad types of fileless malware:
- Memory-only threats These exploit vulnerabilities in Windows services to execute their payload directly in memory. They’re not new: As far back as 2001, the Code Red fileless worm infected more than 350,000 systems. Restarting a system infected by a memory-only threat disinfects it.
- Fileless persistence methods In these attacks, even though the malicious payload isn’t loaded onto the hard disk, the infection remains even after the system is rebooted. It does this in a variety of ways, including storing malicious scripts in the Windows Registry, which kicks off the fileless infection after a reboot.
- Dual-use tools These tools use existing Windows system tools and applications, but for nefarious purposes, for example, to gain credentials to target systems for malicious purposes, or send data back to attackers.
- Non-Portable Executable (PE) file attacks This is a type of dual-use tool attack that involves both a script and a legitimate tool. These attacks frequently use PowerShell, WScript or CScript.
How To Protect Yourself
Fileless attacks typically can’t be detected by traditional anti-virus software. However, there are a couple of things organizations can do to protect themselves against them. First, identify where your sensitive data exists and monitor who is accessing it and for what purpose. Second, fileless attacks still start by exploiting a vulnerability or via social engineering. Therefore, make sure that systems are up to date and protected and that employees have the proper training to ward off social engineering.
(ISC)²’s Gaughf adds that companies should also focus on “threat intelligence and streaming prevention that looks at the behaviors of normal applications and processes as they execute and communicate with one another.”
That means that there is one piece of good news in all this: If organizations are vigilant, they can protect themselves against fileless threats that they typically can’t even see.