Christopher Kruegel, CEO, Lastline, warns that fileless malware is ‘stealthy’ and ‘dangerous’. He talks to Intelligent CISO about why it is so hard to detect and how organisations can stay ahead of these destructive cyberthreats.
In the last year, fileless malware, also commonly referred to as a zero-footprint attack, has successfully infiltrated a number of financial and other institutions that are generally thought of as being very secure. It has received a lot of attention lately and with good reason – with no code stored in a file or written to the target’s machine, fileless malware can be tricky to detect and stop.
A further report by McAfee found that fileless malware rose 267% in Q4 2017, with the two most notable attacks being WannaCry and Petya. However, these kinds of attacks are evolving and are now even being used by cybercriminals to mine cryptocurrency.
Naturally, any new malware variant will cause a stir if it’s successfully disrupting our lives, at least until vendors patch vulnerabilities and anti-malware tools can detect it. Once under control, the attention given to most malware quickly subsides. But if you cannot detect it to begin with, how can you stop it? For many organisations, there will be no quick resolution – unfortunately, we are in this one for the long haul.
Although the malware is fileless when it’s in memory, it still needs a file to set up shop on a system. It does that the same way most malware ends up on a machine, through a malicious attachment or compromised website. It’s a two-step process. First the machine is exploited with shell code. Once the shell code is running, the second stage can be downloaded and executed and that’s the payload that’s the actual malware program. However, with fileless malware, the payload isn’t stored on disk. It’s run directly in memory. The benefit of that is there’s no file on disk that an antivirus program can look at.
So why is fileless malware so dangerous and why will it continue to expand for the foreseeable future? In simple terms: it works. Like everyone else, cybercriminals will usually take the path of least resistance and since this type of malware successfully defeats most security controls, it is rapidly becoming the attack methodology of choice. Its success is due to a number of factors.
Signature-based detection is useless on fileless malware
Fileless malware resides and operates completely within RAM and does not generally place malicious executables on the file system. Most malware detection tools on the market still depend on and look for known malware signatures within objects and files. Since these products are ineffective against fileless malware, companies that deploy these tools need to adopt new technologies that are fundamentally different from their existing products, meaning organisations will need to dedicate a significant amount of time and resources on redesigning their security solutions.
Static analysis is ineffective
Static document analysis has become an essential component of advanced malware detection because of its ability to find structural or other abnormalities in the file itself, not in how it is executed. While there are a number of malware detection tools on the market built to hunt for malware by detecting these abnormalities, they suffer from the same problem as signature-based technologies since, in this case, there is nothing to detect and/or analyse.
RAM provides a good hiding place for malware
Because fileless malware resides entirely in RAM, most security controls can’t even see it, let alone analyse it. Since an entire operating system can be run inside of RAM, it’s easy to see why it is attractive for malware authors. Executing malicious code in the memory of a system that doesn’t shut down or reboot for extended periods of time is an ideal situation.
It’s making cybercriminals money
It takes a great deal of time to develop new malware. To maximise their return on investment, cybercriminals will look for malicious technologies that can’t be easily defeated. Fileless malware is fundamentally different than most other malware and a lot of time will pass before most organisations can effectively respond to it. To put it more simply: the longer it takes to detect the malware, the more profitable it will become to cybercriminals.
Overall, fileless malware is stealthy and dangerous. It is not easy to detect and therefore not easy to identify. Although there are solutions that have figured out how to effectively detect and mitigate it, the majority of organisations haven’t added this type of protection to their security suite.
Because this malware is so attractive to cybercriminals, these kinds of attacks will continue to rapidly expand for the foreseeable future and all organisations should prepare.
Look for security options that can pick up malicious behaviour at the network level. Good overall cybersecurity hygiene will also help, for instance, patching of disclosed vulnerabilities or policies to ensure infected machines are identified and quarantined swiftly.