In file-based attacks, a binary payload is downloaded onto the target machine and executed to carry out malicious actions. Legacy antivirus can prevent these known attacks by identifying the signature of the malware and comparing it to a database of known malware. If the signature is found, the antivirus prevents it.
Fileless malware attacks turn this idea on its head by presenting no indicators of malicious executables on the target machine. Instead, attackers use legitimate tools built into the system like PowerShell, WMI, Microsoft Office Macros, and .NET for malicious purposes. Essentially, Windows is turned against itself.
Defend against these attacks by leveraging the MITRE ATT&CK framework. Read how to create a closed-loop security process in five steps with ATT&CK.
Defining Living-off-the-land
Using legitimate tools for malicious purposes is a technique called living-off-the-land that has been around for at least twenty five years. The abused, legitimate tools are known as LOLBins, and can include Microsoft Office Macros, PowerShell, WMI, and many more system tools. In fact, there are more than 100 Windows system tools that can be leveraged by this technique.
Living-off-the-land and Fileless Malware
Many LOLBins are incorporated into the daily workflow of IT professionals, which makes blocklisting them impractical given how it would reduce IT’s efficiency and reach. Naturally, the tools with the most power, reach, and ubiquity become the most common tools for attackers to leverage. This means Windows toolkits are the most attractive, since they include tools and suites like PowerShell, WMI, and Office by default. The attackers know they have a set of tools they can leverage that are not only pre-installed on every Windows machine they want to target, but are also vital to the organization and cannot be shut down.
Fileless malware also decreases the number of files on disk and the number of actions an attacker has to take to execute an attack. Further, in order to identify this type of attack, security tools have to focus on something other than signatures - how the tools are accessed, what they do, and what users spawn, which is not the way traditional security tools like antivirus operate. This makes defense much more difficult. To face this, a new form of prevention and new types of telemetry for detection that can handle these attacks must enter the picture.
Fileless attacks can be a powerful tool for attackers, since they are able to bypass the majority of antivirus and next-generation antivirus products. Though fileless attacks have been discussed in mainstream circles since the early 1990s, these attack vectors are still gaining popularity. The data proves it: in Q1 2018, fileless attacks were up 94%. In 2018, 42 out of 1,000 endpoint attacks used fileless malware. To put that into perspective, ransomware maxed out at 14.4 out of 1,000 endpoint attacks.
In The State of Endpoint Security, The Ponemon Institute found respondents believe 38% of all attacks targeting their company will be fileless in 2019.
HOW DOES FILELESS MALWARE WORK?
Fileless malware leverages trusted, legitimate processes (LOLBins) running on the operating system to perform malicious activities like lateral movement, privilege escalation, evasion, reconnaissance, and the delivery of payloads.
In our research, we have come across and prevented or detected many cases of fileless attacks just in 2019 alone. We have seen attackers use a range of default Windows processes in their attacks, including:
- PowerShell, with attacks like Operation Cobalt Kitty, the Ramnit Banking Trojan, the Triple Threat of Emotet, TrickBot, and Ryuk, and the Fallout Exploit Kit.
- Windows Management Instrumentation (WMI), with attacks like Operation Soft Cell, the Shade Exploit Kit, Adobe Worm Faker, and GandCrabs Evasive Infection Chain.
- .NET, with attacks like the New Ursnif Variant.
- Malicious Macros, with attacks like the New Ursnif Variant.
This is not nearly an exhaustive list of processes used for fileless attacks. However, these are LOLBins that we want to highlight because we can prevent these fileless attacks effectively and better than anyone else out there.
Reasons to Use Fileless Malware in an Attack
- Stealthy: Fileless malware uses legitimate tools, which means it is almost impossible to blocklist the tools used in a fileless attack.
- Living-off-the-land: The legitimate tools used for fileless malware are installed by default. The attacker does not need to create or install any custom tools to use them.
- Trusted and Frequented: These tools are frequently used and trusted. It is not unusual to see the tools used in fileless malware running in an enterprise environment for a legitimate purpose.
WHY IS DETECTION AND PREVENTION OF FILELESS MALWARE CHALLENGING?
Fileless malware depends on tools that are part of the daily workflow of enterprise professionals. Attackers know they can rely on a set of tools that are pre-installed on every Windows machine and are vital for the daily operations of the enterprise. Fileless malware also decreases the number of files on disk, which means signature-based prevention and detection methods will not be able to identify them. This makes it incredibly difficult for an analyst or security product to identify whether the tool is being used for malicious purposes or normal, day-to-day actions. Analysts must have an intimate understanding of their environment to be able to identify LOLBins at work.
This is one reason why fileless malware attacks have become so prevalent. We only expect them to become more common as attackers continue to iterate and share their techniques with the community, and as they potentially develop this malware for profit under a malware-as-a-service model.
Interested in learning more about fileless attacks? Read about how they were used in the latest variant of the Ursnif trojan.
