Fileless, Malwareless, In-Memory Malware, Hidden Malware… regardless of what names these attacks are given by the press, they all share the same attack characteristics. These attacks do not write files to disk, but rather, they exist and operate solely within system memory. They often utilize common admin tools such as PowerShell that are widely available yet rarely controlled on most Windows systems. As a result, these attacks are often called ‘living off the land’ attacks as well.
Introduction
Fileless malware is relatively sophisticated to build and deploy, and as a result, it is still relatively rare to encounter in the wild, but still poses a very real threat. It differentiates itself from most other malware by not leaving files on disk – hence its name. Instead, it uses a variety of tricks to stay resident in memory and execute commands that already exist on the machine.
Fileless malware uses a tool like PowerShell to coordinate the attacks and the use of a meterpreterpayload that uses in-memory DLL injection staggers to set up additional attacks. As a result of not writing files to disk, it poses a very unique challenge to traditional security products that rely on inspecting files on disk in order to match a detection to a signature.
Fileless Malware is Here to Stay
Two families of fileless malware, Poweliks and Kovter use similar techniques to infect a system. First, JavaScript code is written into the registry under the Run key along with an AutoRun entry that is used to read and decode the encoded JavaScript. In the second stage of the attack, PowerShell is used to decrypt and inject a malicious .dll into a standard Windows process. This technique allows the malware to stay resident in memory and to evade traditional antivirus defenses.
CylancePROTECT vs Fileless Malware
While most fileless attacks still relies on spam or spear phishing as the initial attack vector, email administrators know that it is simply not realistic to block all email attachments in enterprise environments. Security controls should not be so restrictive that they compromise business operations, nor should they cause employees to attempt to circumvent them in order to carry out basic job duties like reading email.
CylancePROTECT uses multiple protection elements to stop this type of threat before it causes any damage. CylancePROTECT memory defense provides protection against process injection attack techniques, and script control provides robust protection preventing malicious scripts being used in concert with PowerShell.
If you don’t have CylancePROTECT, contact us to learn how our artificial intelligence based solution can predict and prevent unknown and emerging threats before they ever execute.
