Be Fearless when it comes to Fileless malware attacks

Jun 27, 2018

By Guy Propper


Cyber criminals are constantly looking for new and sophisticated ways in which to avoid being detected and successfully perform a malicious attack. This was most evident in the past few years. Apart from the rise in ransomware attacks, there has also been an increase in the amount of fileless attacks, which pose a threat to organizations and challenge for security solutions due to the use of sophisticated attack techniques and various non-executable file formats.

The increase in fileless attacks can be attributed to a few reasons: for one, the fact that the malicious logic of the attack often occurs in memory, makes traditional static detection insufficient. It also complicates post event analysis, it’s easy for attackers to hide behind and more. For these reasons, the security industry hasn’t remained idle, and various security solutions have added additional capabilities to combat these types of threats.

Fileless Attacks Explained

The definition of what is considered fileless attack is wide, as the term “fileless attack” encompasses several possible attack scenarios, only some of which don’t write any files to disk, while very few scenarios are completely fileless. A widely accepted definition of a fileless attack is an attack during which no portable executable (PE) file is written to and executed from disk.

So what falls under the category of the current accepted definition of a fileless attack?

Executable-less attacks: attacks based on a dropper, usually a document or scripts, which is written to disk, and then executes the next stages of the attack. These are the most common forms of fileless attacks.

Dual-use attacks: attacks based on legitimate files which are either common to the organization attacked or are widely-used administrative tools, which can be abused to perform malicious functions. These files are usually written to disk, but can also be used as memory payloads.

Code injection attacks: attacks based on code injection which are loaded dynamically into the memory of a process.

Combating Fileless Attacks

The increasing awareness of these types of attacks by the security industry is making it harder for attackers. Moreover, if you put aside the organizations choice of security solution, there are some steps organizations and users can take in order to protect themselves and lessen the likelihood of becoming infected:

  1. Restrict the use of scripts and scripting languages inside the organization, by applying different policies to different areas of the network. Allow scripts to run from read-only network locations or access specific machines only.
  2. Restrict and monitor the use of interactive PowerShell  within the organization.
  3. Scan PE files and macro scripts which can be allowed to run within the organization.
  4. Make sure all your computers and programs are updated regularly and on time. This will prevent the exploitation of known and patched vulnerabilities.

With that in mind, it’s important to understand that due to the growth in knowledge of both users and security vendors, malicious actors are expected to increase both the amount of fileless attacks, and the sophistication level of them while developing new ways through which fileless attacks can be conducted.

By using advanced methodologies and deep learning, Deep Instinct protects its customers from executable-less attacks, dual-use and code-injection attack.

Advanced heuristics, which also protect against file-based attacks, quickly prevent code-injection and in-memory attacks. And finally, Deep Instinct’s unique deep learning model protects against dual-use tools utilized in living-off-the-land attacks, and against dropper files used in non-PE attacks, blocking these attacks pre-execution.

To learn about the anatomy of fileless attacks, and get an in-depth explanation of the challenges and solutions involved, download this free whitepaper >>

New call-to-action