WHAT IS FILELESS MALWARE?
A fileless infection (fileless malware) is malicious coding that exists only in memory rather than installed to the target computer’s hard drive. Fileless malware is written directly to RAM. The code is injected into some running process, such as iexplore.exe or javaw.exe, which is then used for the exploit. (TechTarget.com)
Unlike attacks carried out using traditional malware, fileless malware attacks don’t entail attackers installing software on a victim’s machine. Instead, tools that are built-in to Windows are hijacked by adversaries and used to carry out attacks. Essentially, Windows turns against itself.
The fact that traditional malware isn’t used is an important point. This means that there’s no signature for antivirus software to detect, greatly decreasing the effectiveness of these programs in detecting fileless malware attacks. And while next-generation security products claim to detect malicious PowerShell activity, the reality is that discovering fileless malware attacks is very challenging.
While fileless malware may not grab as many headlines as ransomware or other cybernasties, these attacks are still a major security issue and used in many attacks. In fact, we’ve has seen fileless malware used in several campaigns, including Operation Cobalt Kitty, which targeted a major Asian corporation. Using malicious commands through the authentic system to execute the threat allowed the attackers to operate undetected for nearly six months. Since a trusted program executed these commands, the company’s security staff as well as the security tools it used assumed the commands were legitimate.
PROTECT YOUR BUSINESS
Despite the claim surrounding this brand of malware as being undetectable, let’s get it out there that it’s not literally undetectable. It just seems so when compared to previous malware iterations. The steps below aren’t foolproof but do provide a layered, systematic security approach that should minimize risk to your organization.
- Disable macros if you’re not using them. If you are, digitally sign and use only those vetted specifically for the company. No signature means don’t use it!
- Regularly check security logs for inordinate amounts of data LEAVING the network. Hint: it could be going to a bad guy.
- Look for changes in the system’s usual behavior patterns when compared against baselines.
- Update your software regularly.
Of course, another way to avoid these fileless malware attacks is to shut down your online business and never use a Windows system again, but that’s probably not a credible solution for the world.