cruelsister

Level 37
Verified
Trusted
Content Creator
Attacks that leverage fileless techniques are not new, but were recently adopted by a broader range of malware. A couple of years ago, the Kovter Trojan was well known for the use of this infection method, but various threat actors, ransomware, and even crypto-mining malware adopted it since.

Last November, a Barkly report suggested that fileless assaults were ten times more likely to succeed compared to other infection methods.
Now, Microsoft says that the move to fileless techniques was only the next logical step in the evolution of malware, especially with antivirus solutions becoming increasingly efficient at detecting malicious executables.

“Real-time protection gives visibility on each new file that lands on the disk. Furthermore, file activity leaves a trail of evidence that can be retrieved during forensic analysis,” Andrea Lelli of the Windows Defender Research team at Microsoft notes in a blog post. “Removing the need for files is the next progression of attacker techniques,” Lelli says.

The result of this is an increase in attacks that use malware with fileless techniques, where the executable is never dropped on the disk. The approach not only removes the need of relying on physical files, but also improves stealth and persistence. For attackers, this also means the discovery of new techniques for executing the code, which some solved by infecting legitimate components and achieving execution in these components’ environment. Referred to as “living off the land”, the technique usually abuses tools that are already available on the platform, such as mshta.exe.

As Lelli points out, however, there is no generally accepted definition of a fileless attack, and even malware families that do rely on files to operate are included. Thus, some parts of the attack might be fileless, while others would still rely on the filesystem. Overall, Microsoft groups fileless threats into different categories, based on entry point (execution/injection, exploit, hardware), the form of entry point (file, script, etc.), and the host of the infection (Flash, Java, documents), which results in three big types of fileless threats. The malware can be completely fileless (performing no file activity), writes no files to disk but still uses some files indirectly, or requires the use of files to achieve fileless persistence. While file-based inspection is ineffective against fileless malware, behavioural analytics and other technologies should be efficient in detecting such attacks.

Microsoft themselves integrated their Windows Defender Advanced Threat Protection (ATP) with capabilities such as behaviour monitoring, memory scanning, and boot sector protection, to detect and terminate threat activity at runtime. Furthermore, Windows Defender ATP integrates with Antimalware Scan Interface (AMSI), “an open framework that applications can use to request antivirus scans of any data,” to defend against fileless malware and other threats, Microsoft says.

When it comes to fighting fileless attacks that live off the land, behaviour monitoring is particularly useful, Lelli says. In fact, Microsoft has been long touting Windows 10’s ability to detect in-memory attack methods that abuse legitimate processes. Memory scanning is also useful when it comes to detecting the presence of malicious code in the memory of a running process. Even malware that runs without the use of a physical file (such as the GandCrab ransomware) needs to reside in memory to operate, and memory scanning can detect it there, Lelli points out.

Another defense that’s effective against fileless attacks is boot sector protection. In Windows 10, controlled folder access prevents write operations to the boot sector, thus helping Windows Defender ATP stop attack vectors used by Petya, BadRabbit, and bootkits. “As antivirus solutions become better and better at pinpointing malicious files, the natural evolution of malware is to shift to attack chains that use as few files as possible. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, too,” Microsoft concludes.


CS note-The Microsoft blog is here: Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV
 
5

509322

Attacks that leverage fileless techniques are not new, but were recently adopted by a broader range of malware. A couple of years ago, the Kovter Trojan was well known for the use of this infection method, but various threat actors, ransomware, and even crypto-mining malware adopted it since.

Last November, a Barkly report suggested that fileless assaults were ten times more likely to succeed compared to other infection methods.
Now, Microsoft says that the move to fileless techniques was only the next logical step in the evolution of malware, especially with antivirus solutions becoming increasingly efficient at detecting malicious executables.

“Real-time protection gives visibility on each new file that lands on the disk. Furthermore, file activity leaves a trail of evidence that can be retrieved during forensic analysis,” Andrea Lelli of the Windows Defender Research team at Microsoft notes in a blog post. “Removing the need for files is the next progression of attacker techniques,” Lelli says.

The result of this is an increase in attacks that use malware with fileless techniques, where the executable is never dropped on the disk. The approach not only removes the need of relying on physical files, but also improves stealth and persistence. For attackers, this also means the discovery of new techniques for executing the code, which some solved by infecting legitimate components and achieving execution in these components’ environment. Referred to as “living off the land”, the technique usually abuses tools that are already available on the platform, such as mshta.exe.

As Lelli points out, however, there is no generally accepted definition of a fileless attack, and even malware families that do rely on files to operate are included. Thus, some parts of the attack might be fileless, while others would still rely on the filesystem. Overall, Microsoft groups fileless threats into different categories, based on entry point (execution/injection, exploit, hardware), the form of entry point (file, script, etc.), and the host of the infection (Flash, Java, documents), which results in three big types of fileless threats. The malware can be completely fileless (performing no file activity), writes no files to disk but still uses some files indirectly, or requires the use of files to achieve fileless persistence. While file-based inspection is ineffective against fileless malware, behavioural analytics and other technologies should be efficient in detecting such attacks.

Microsoft themselves integrated their Windows Defender Advanced Threat Protection (ATP) with capabilities such as behaviour monitoring, memory scanning, and boot sector protection, to detect and terminate threat activity at runtime. Furthermore, Windows Defender ATP integrates with Antimalware Scan Interface (AMSI), “an open framework that applications can use to request antivirus scans of any data,” to defend against fileless malware and other threats, Microsoft says.

When it comes to fighting fileless attacks that live off the land, behaviour monitoring is particularly useful, Lelli says. In fact, Microsoft has been long touting Windows 10’s ability to detect in-memory attack methods that abuse legitimate processes. Memory scanning is also useful when it comes to detecting the presence of malicious code in the memory of a running process. Even malware that runs without the use of a physical file (such as the GandCrab ransomware) needs to reside in memory to operate, and memory scanning can detect it there, Lelli points out.

Another defense that’s effective against fileless attacks is boot sector protection. In Windows 10, controlled folder access prevents write operations to the boot sector, thus helping Windows Defender ATP stop attack vectors used by Petya, BadRabbit, and bootkits. “As antivirus solutions become better and better at pinpointing malicious files, the natural evolution of malware is to shift to attack chains that use as few files as possible. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, too,” Microsoft concludes.


CS note-The Microsoft blog is here: Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV
These types of infections are easy enough to thwart for those that know what they're doing and are willing to do what is necessary.

For everybody else, there is AMSI, Exploit Guard and Windows Defender. Good luck with those.

It isn't difficult. Most of time with this stuff, people simply TL;DR as they're doing in this very thread at this very moment.

What is needed to solve this problem is simple, but Microsoft - as usual - makes their solution 100 levels of fiendishly overly-complex than it needs to be - all because people insist on default allow.
 
Last edited by a moderator:

LDogg

Level 32
Verified
Sometimes just having good browser habits, bookmarking things, not torrenting, no dodgy downloads, updates from official sources should massively mitigate anything like this. Excluding the CCleaner incident. Agreed with the above there are software out there which can easily stop this type of attack from happening.

~LDogg
 

shmu26

Level 85
Verified
Trusted
Content Creator
Completely fileless malware - able to evade anti-executables?
This is exactly why anti-executables usually have a module that monitors and/or blocks the vulnerable processes that are commonly targeted by fileless malware attacks. Stuff like powershell and mshta. These processes and others like them are used in the "living off the land" attacks. Anti-exe + vulnerable process protection will stop attacks that home users typically face.
There are more sophisticated attacks, but if you are not running a nuclear plant, don't worry about them. :)
 

LDogg

Level 32
Verified
This is exactly why anti-executables usually have a module that monitors and/or blocks the vulnerable processes that are commonly targeted by fileless malware attacks. Stuff like powershell and mshta. These processes and others like them are used in the "living off the land" attacks. Anti-exe + vulnerable process protection will stop attacks that home users typically face.
There are more sophisticated attacks, but if you are not running a nuclear plant, don't worry about them. :)
NVT OSArmor should be able to mitigate attacks like these basically?

~LDogg
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
I am a big fan of ATP for Enterprises. Before introducing ATP, the home users were the guinea pigs for catching the malware. Now, the Enterprises with ATP can catch some sophisticated malware and train WD AI. Both Enterprises and home users are connected to WD cloud via "Block at first sight" feature, so the home users have indirectly the advantage from ATP.

Furthermore, some interesting ATP options are Windows 10 built-in features (WD ASR, Network Protection) and can be activated/configured on Windows 10 Home via PowerShell cmdlets or GPO policies, or any software that can create a GUI for configuring them. Yet, I am not sure if Microsoft likes such software.:unsure:
 
Last edited:
5

509322

This is exactly why anti-executables usually have a module that monitors and/or blocks the vulnerable processes that are commonly targeted by fileless malware attacks. Stuff like powershell and mshta. These processes and others like them are used in the "living off the land" attacks. Anti-exe + vulnerable process protection will stop attacks that home users typically face.
There are more sophisticated attacks, but if you are not running a nuclear plant, don't worry about them. :)
It is a bit more complex than that. It takes more than merely monitoring for vulnerable process execution. There are those here that think that is a panacea - and it just ain't true.

I don't want to say too much because fanbois of certain products will come onto this thread and start to cry like babies.

NVT OSArmor should be able to mitigate attacks like these basically?
Ask Andreas. He will explain it to you.

I am a big fan of ATP for Enterprises. Before introducing ATP, the home users were the guinea pigs for catching the malware. Now, the Enterprises with ATP can catch some sophisticated malware and train WD AI. Both Enterprises and home users are connected to WD cloud via "Block at first sight" feature, so the home users have indirectly the advantage from ATP.
Furthermore, some interesting ATP options are Windows 10 built-in features (WD ASR, Network Protection) and can be activated/configured on Windows 10 Home via PowerShell cmdlets or GPO policies, or any software that can create a GUI for configuring them.
A company is looking at $200+ per endpoint. ATP costs $68 per month or per year - I cannot remember the billing frequency. That's in addition to all the other mandatory licenses and their individual costs.

Because of the pricing it is not popular.

The ATP "cloud" - if you can call it that - existed years ago. It is not new. Malicious file uploading to Microsoft for analysis has existed for a long time.

Yes, especially with advanced options.
Some attacks will succeed even with stuff disabled, but only the too-paranoid-for-their-own-good will worry about those.
 
Last edited by a moderator:

Andy Ful

Level 62
Verified
Trusted
Content Creator
...
The ATP "cloud" - if you can call it that - existed years ago. It is not new. Malicious file uploading to Microsoft for analysis has existed for a long time.
.
I like more calling it WD cloud with "Block at first sight" feature, because it is common to home users and Enterprises. The ATP cloud will suggest only Enterprises. The crucial is the time factor. Before "Block at first sight" + ATP era, the home users were protected after some weeks. Microsoft was known as a vendor with the slowest signatures. Now, the home users are often protected after some minutes/hours after the malware hits the Enterprise.
 
5

509322

I like more calling it WD cloud with "Block at first sight" feature, because it is common to home users and Enterprises. The ATP cloud will suggest only Enterprises. The crucial is the time factor. Before "Block at first sight" + ATP era, the home users were protected after some weeks. Microsoft was known as a vendor with the slowest signatures. Now, the home users are often protected after some minutes/hours after the malware hits the Enterprise.
Yes. Microsoft detection speed has improved, but that doesn't solve the real issues with its protection. It is just another band aid applied to an open, festering sore.
 

shmu26

Level 85
Verified
Trusted
Content Creator
It is a bit more complex than that. It takes more than merely monitoring for vulnerable process execution. There are those here that think that is a panacea - and it just ain't true.

I don't want to say too much because fanbois of certain products will come onto this thread and start to cry like babies.
Come on, forget about crybabies. Tell us why it isn't a panacea, and what can be done about it.
Did you have in mind exploits like process hollowing and reflexive dll loading? AFAIK, attacks like that usually need to first drop a file, or live off the land.
 
5

509322

We know it can be done. But would you call this a threat typically faced by a home user?
Infection is a probability game. Therefore, one can state default Windows security is sufficient. On the other hand, there are those that want or argue for protection against the improbable. From their point of view, default Windows security isn't sufficient. To some extent, the statistics out there will influence peoples' perspective on the issue of infection or the potential for infection. Based upon the IT security news, one would not be remiss in thinking that the terminators will kill us all - IF one accepts the IT security news at face value.

The probability where you live is higher when you walk out your front door that you will be shot. Be that as it may, I bet you don't wear a bulletproof vest. And I know there are people in your homeland that are compulsive bulletproof vest wearers. I know because I've seen it with my own two eyes. However, they are the exception and not the norm. Wearing a heavy kevlar vest is a pain, even in temperate climates. So most people just don't do

Debates of theoretical versus practical (probabilities) aren't very helpful either because, for whatever reasons, a lot of people cannot grasp what is being said. Actually, I think the issue is simply a matter of user expectations - which is that they want and expect absolute protection.

The reality is this... home users can go up against anything and everything. There is no limit in that regard. That is a theoretical capacity. However, there is the practical side of things. Most people don't want to hear practical. They want absolutes. And that is where their ignorance is reflected in their desires and expectations. Most people probably want to take a tank to a gun fight - and while that seems common sense - it is anything but, if you think about it carefully. Most of all, people expect to install a soft and be protected. Period. And it just doesn't work that way. People don't want to hear that, and even in the face of evidence, refuse to accept it. Like so many things in life, people are the problem - and that's something the industry just cannot fix.

For example, I know when Poweliks was raging, I never saw it. And over the period of a two year span, I know of only 3 infections. One wasn't active because our product hobbled it. The other two, internet security suites failed to stop it. Today, it is detected.

Paranoia is not helpful. It actually works against the paranoid types.

That there are people still asking about how to protect against fileless, which has been discussed and debated ad-nauseum here and across the net over the years, shows the problems I bring up here will likely never go away.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
In the home environment, the fileless attack can start mostly when the user opens something with embedded malicious content (web page, document, etc.). So, the first defense line should not be Anti-Exe, memory monitoring, and some other advanced security features but rather reducing the attack vectors:
  1. Safe web browser with sandboxing.
  2. Anti-spam software.
  3. Safe DNS (anti-phishing, anti-malware, anti-adware URL blocking) or web filtering via web browser extension.
  4. Avoiding the commonly abused software (MS Office, Adobe Acrobat Reader, etc.) or blocking the active content (at least) for viewing documents.
  5. Blocking script engines.
  6. Updating the system and software.
  7. Using trusted software portals to install applications.
There are surely some more. The stronger is using default-deny solution. The Enterprises have to use something like ATP, because they cannot adopt such solutions like points 4, 5 and 6. and they are much more vulnerable via network attacks and generally via targetted attacks.
 
Top