Fileless malware attacks have increased over 300% in 2019. What is fileless malware and how does it work?

According to their mid-year Cybersecurity report, Trend Micro asserts that fileless malware attacks have increased 365% over the same period the previous year.  In order to understand why this is increasing and how fileless malware works, we first need to understand how traditional anti-virus software works, because fileless malware evolved in order to try to circumvent the protections offered by traditional anti-virus software.

How does anti-virus software work?

Traditional anti-virus software attempts to identify malware code while it is at rest on the computer disk or in use in an executing program.  Using Microsoft windows as our example, it works like this:

Since Windows XP, Windows has included the ability to insert drivers into the filesystem at run-time.  These drivers are arranged in a stack and all disk I/O has to flow through all the drivers for each read and write operation.  The drivers are arranged into groups in the stack and perform functions such as file replication, undelete services, quota management, and anti-virus scanners. It is easy to understand how a problem with an anti-virus product can affect system performance, as all disk I/O has to interact with the anti-virus software.

Computer software is code, whether compiled or interpreted, it is generally static.  This means if you can obtain a copy of a piece of malware, you can look at the code and locate a sequence of bytes that is unique for that item of malware.  This is its signature.  Anti-virus software watches the stream of bytes flowing to and from the disk and if it spots a sequence of bytes that it recognises, it blocks the I/O operation and flags the file as malware.

As anti-virus software became more sophisticated, the developers realised that certain patterns of code often turn up in some form or another in malware.  For example, attempts to modify certain system files in order to create a persistent process that survives a system reboot.  Recognising this behaviour as ‘probably’ malware, even if that exact piece of malware is not within the anti-virus list of signatures, gave rise to the next generation of heuristic anti-virus.

In order to combat the signature based anti-virus detection, malware authors developed polymorphic viruses– that is malware which changes itself over time. It does this by downloading new modules from command and control servers, re-arranging how it stores itself on the computer system, and rapidly updating itself to new version so the anti-virus signatures are always out of date.  Heuristic anti-virus which looks for patterns of behaviour rather than patterns in the code is a primary defence against polymorphic malware.

The ability to insert drivers into the I/O stack for disk operations, is repeated for access to the Windows Registry, Firewall traffic, loading code images (EXE, DLL or SYS files), starting processes and spawning threads.  The anti-virus can insert itself into all of these operations and inspect the data and terminate the operation if it identifies a risk.

This presents a challenge to the malware authors, as however they try to get their software onto your computer, be it hidden in another file, downloaded over the network or saved to disk via a browser exploit – the anti-virus software has the potential ability to spot the file and block it.

The answer is the shift to fileless malware.

What is fileless malware?

Fileless malware does not exist as executable code on the disk of the computer system – hence the term fileless.  Instead the malware resides only in memory, it may have components that are invoked using details injected into the Windows Registry or it leverages existing system components such as PowerShell to work on its behalf.  This is known as ‘living off the land.’

PowerShell based malware has risen significantly in the last year – up a 1000% according to Symantec.  PowerShell is used legitimately all the time in enterprise networks – for tasks such as login scripts, monitoring performance or rolling out new software updates.  If the script that PowerShell is executing is never stored on the disk, traditional anti-virus can never spot it, and a computer forensic investigations has nothing to work with.

In addition to malicious scripts, fileless malware can also inject malicious code into otherwise legitimate running software by leveraging exploits in that application.  Typically, these attacks target web browsers or frameworks like Java or Flash.

How to mitigate fileless malware attacks

With the latest versions of PowerShell (v5 onwards), Microsoft has introduced support for the Antimalware Scan Interface.  This Windows 10 / Server 2016 service allows any software that processes scripts (not just PowerShell) to submit the plain text script to Windows Defender or installed anti-virus for validation before it is executed.  This means that any software that is scriptable can now provide some measure of protection against malicious scripts being used in ‘living off the land’ fileless attacks.  Developers need to update their software to work with the AMSI, as it does not happen automatically.

In addition to subverting scripting engines, fileless malware exploits vulnerabilities in other installed software (such as Microsoft Office applications, Java or Flash).  Removing unused software and ensuring all other software is promptly patched each month reduces the attack surface that fileless malware can exploit.

Next Generation Firewalls that provide application level inspection, intrusion protection and use cloud services to bring intelligence from outside the firewall will also help.  With the firewall automatically updating itself to block traffic to and from malware command and control servers as they are discovered, the fileless malware can be disrupted from operating.

Fileless malware is the next phase in the arms race between malware authors and cybersecurity professionals.  Good security hygiene  is still the best defence.