How It Works
Most applications and file-based malware begin as a file that is written to the disk. When that file is executed, a copy is loaded into memory, and the program’s commands are executed. Fileless malware skips the step of being written to disk, existing only in memory.
Some of the ways in which this can be accomplished include:
- Living Off the Land: Many of the actions that malware performs can be accomplished with legitimate system functionality. Fileless malware commonly uses PowerShell in order to access the built-in Windows API functions that would normally be used in malicious executable file.
- Malicious Documents: A Microsoft Office document may include malicious macros that use PowerShell to execute commands. This could include downloading and running additional malware without writing it to disk.
- Vulnerability Exploitation: An application may contain a buffer overflow or other remote code execution (RCE) vulnerability. By exploiting this vulnerability, an attacker can run malicious commands within the vulnerable process without writing anything to disk.
- Process Hijacking: Once a file is loaded into memory, its memory space can be modified. Malware can write code to the memory space of an existing process and launch its malicious functionality within that process.
- Registry-Based Malware: The Windows registry contains configuration information for the Windows OS, including autoruns. Fileless malware can define an autorun that launches malicious code via LoLBins on system startup or when a user logs in.
What Can Fileless Malware Do?
Fileless malware can do anything that a traditional, file-based malware variant can do. This includes acting as an infostealer, ransomware, remote access toolkit (RAT), and cryptominer.
The main difference between fileless malware and file-based malware is how they implement their malicious code. Fileless malware commonly relies more on built-in features of the operating system rather than implementing malicious functionality in a standalone executable.
Stages of a Fileless Attack
A fileless malware attack looks very similar to a file-based malware attack. Some of the key stages include:
- Initial Access: Malware needs a means of gaining access to an organization’s systems. Fileless malware may deliver a malicious document via phishing or exploit a vulnerable web application.
- Execution: Fileless malware can achieve code execution via various means. For example, a malicious document may use social engineering to trick the recipient into enabling macros, allowing malicious macros to run PowerShell commands.
- Persistence: Once malware gains access to a target system, it wants to maintain that access. Adding autorun keys to the Windows Registry is a common means of achieving persistence and can be accomplished without writing code to disk.
- Objectives: Malware is designed to accomplish some task. Fileless malware may attempt to steal credentials, encrypt files, download additional malware, or perform some other malicious activity.
Detecting and Protecting Against Fileless Malware Attacks
Fileless malware is designed to be more difficult to detect than traditional, file-based malware variants. The reason for this is that some endpoint security solutions focus on scanning files on a system and do not inspect actively running processes for malicious code or anomalous activities.
However, harder to detect is not the same as undetectable. Some of the ways in which an organization can protect itself against fileless malware attacks include:
- Lock-Down Functionality: Fileless malware often “lives off the land,” using built-in functionality to achieve its goals. Disabling or monitoring high-risk applications — such as PowerShell — can help with preventing and detecting fileless malware attacks.
- Manage Macros: Microsoft Office macros are a common method for fileless malware to achieve initial access and execution. Disabling macros can help to block this infection vector.
- Patch Vulnerabilities: Attackers may exploit vulnerabilities such as buffer overflows to run code within vulnerable applications. Applying patches and implementing virtual patching with an intrusion prevention system (IPS) limits the risk of vulnerability exploitation.
- Secure Authentication: Cybercriminals are increasingly using compromised credentials and remote access solutions, such as RDP, to deploy and execute malware. Implementing multi-factor authentication (MFA) and a zero-trust security policy can limit the potential impact of a compromised account.
Check Point’s Harmony Suite and XDR Platform
Fileless malware is one of several threats that organizations face. To learn more about the current cyber threat landscape, check out Check Point’s 2022 Mid-Year Cyber Attack Trends Report.
Implementing defense in depth is essential to managing the risk of sophisticated malware and other leading cyber threats. Check Point Horizon XDR provides centralized visibility and threat management across an organization’s IT infrastructure, while Harmony Endpoint secures the endpoint.
Find out how Check Point can help improve your organization’s malware defenses. Sign up for the Horizon XDR Early Availability Program and a free demo of Harmony Endpoint today.