What is Fileless Malware?
Fileless Malware is malicious software that attacks or infects systems without leaving a footprint, by running only in memory. Fileless malware is more difficult to detect because it does not leave artifacts on the endpoint.
The definition of what is considered fileless malware is wide, as the term “fileless malware” encompasses several possible attack scenarios, only some of which don’t write any field to a disk, while very few scenarios are completely fileless.
Which Fileless Malware fit under the definition of a “fileless attack”?
There are four types of fileless malware attacks:
- Executable-less attacks - These attacks are based on a dropper, usually a document or zip file, which runs a script that excludes the next stages of the attack. This attack is file based, since the dropper is saved to the disk. However, executables are not used during the whole attack sequence, so this type of attack is better termed an “executable-less attack.” This attack scenario is the most common “fileless malware” scenario.
- Dual use attacks - These attacks are based on legitimate files which are either common to the organization attacked or are widely-used administrative tools, which can be abused to perform malicious functions. This attack scenario is also called “living off the land” and involves executable files.
- Code injection attacks - Code injection attacks are based on code injection into the memory of a process. In this type of attack, the malicious logic is not saved to disk, however the attack usually includes files, since the injection to memory is usually performed by script files, which are saved to disk.
- Memory-only attacks - These are advanced attacks which occur only in memory, and do not write any files to disk during the whole attack sequence. Memory-only attacks are extremely advanced, and are currently performed mostly by nation-state actors.
How does Fileless Malware work?
The anatomy of a fileless malware attack includes the following steps:
- Infection - A fileless attack sequence begins with initial infection of the target, which can be achieved through droppers or infection from the browser.
- Malicious Logic and Lateral Movement - Like other types of malware, payload delivery and lateral movement will usually follow a successful infection. The payload will perform actions desired by the attacker, such as information collection, file encryption, or backdoor communication, while lateral movement can be used to infect additional computers within the network. This is done through scripts, native tools, living off the land, and injection to memory.
- Persistence - Achieving persistence is a considerable challenge for fileless malware, since executable files performing the attack are usually not saved to disk. Attackers that wish to remain persistent must leave some trace in the system for their malicious logic to relaunch itself following system startup. To remain persistent, attackers can use one of several means including registry editing, COM hijacking, creation of scheduled tasks, and WMI tasks.
Why do attackers like Fileless Malware?
There are several reasons why attackers prefer to use fileless malware. First, the fact that the malicious logic of the attack usually occurs in memory makes traditional static detection impossible, as no file is saved to the disk.
In addition, fileless malware complicates post-event analysis, since many artifacts related to the attack exist in memory only, and they might be overwritten or removed by the time of discovery, through a reboot for example. In-memory detection and artifact collection can be done through the use of heuristics and behavioral analysis, which can detect malicious in-memory activities.
Finally, the use of scripts and admin tools makes it easy for the attackers to hide their presence and purposes. Scripts can be very easily obfuscated, and delivered in several stages, while actions performed by admin tools might seem legitimate to an organization.
How does Deep Instinct detect Fileless Malware?
Fileless malware, or “executable-less” malware, is a distinct and developing threat. Fileless malware uses non-executable file types during many attack sequences. Due to the sophisticated methods of attack, fileless malware attacks currently pose a difficulty for the security industry. However, Deep Instinct provides customers a solution for fileless malware. Deep Instinct’s deep learning model protects against the elements of fileless malware, by using script control mechanisms and advanced heuristics to prevent code-injection and in-memory attacks.