'Fileless malware' attacks, used on banks, have been around for years

[vemn]

Called "fileless malware" attacks because the malware resides only in memory and is mostly hidden, these exploits have been used by unknown cyberthieves to steal from ATMs and customer accounts. However, the full extent of damages isn't always known.

 

[viktik]

I was thinking about it.
just recently Kaspersky did detect an autorun malware in memory, but no malicious file was detected on the hard disk.

 

[vemn]

Curious to know how to replicate the case and test against the AV products. =)
Anyone care to share?

 

[vemn]

Fileless attacks against enterprise networks - Securelist

Fileless Malware Execution with PowerShell is Easier than You May Realize | McAfee Blogs

Lurk: Retracing the Group’s Five-Year Campaign - TrendLabs Security Intelligence Blog

Some additional reads

 

[Parsh]

Morphisec and Heimdal Security too have provided a nice dissection of Fileless malware, their base, propagation and infection techniques and necessary measures.

 

[Ink]

Banking system software is tested thoroughly, in controlled environments. See The Man who Protects Our Bank Accounts

But I suppose protecting your own PC and ATM machines is different.

 

[Wave]

Curious to know how to replicate the case and test against the AV products. =)
Anyone care to share?

Find malware which can be executed without any files being dropped - an example would be through a browser exploit, where the browser will execute the malicious shell-code remotely without any files needing to be dropped.

Good luck finding one, they aren't as common these days. You'll only really find attacks like this when lots of money is involved, and when it's being concealed very well.

 

[Kubla]

Find malware which can be executed without any files being dropped - an example would be through a browser exploit, where the browser will execute the malicious shell-code remotely without any files needing to be dropped.

Good luck finding one, they aren't as common these days. You'll only really find attacks like this when lots of money is involved, and when it's being concealed very well.

How do we know for sure they aren't any if our commonly used AV solutions can't detect them or at least can't be tested to see if they can?

Perhaps adding something like Heimdal that Parsh mentioned as an additional layer in one's protection scheme would not be a bad idea.

 

[Wave]

How do we know for sure they aren't as if our commonly used AV solutions can't detect them or at least can't be tested to see if they can?

The point of a fileless attack is to avoid detection and do things quick - if you drop to the system then the AV scanner will detect the I/O activity through it's file system mini-filter driver and scan the file and then scan the PE which was responsible for dropping it to disk. Unless your security product contains anti-exploit functionality then the chances of it detecting such an attack are slim, and even if they do have anti-exploit, the people doing these attacks can just use another exploit to prevent that detection.

The point of an exploit is to abuse an existent vulnerability for malicious purposes (whether the vulnerability is known to public or not), nothing you can do to stop them all... Hence why they are exploits!