FileWhat is fileless malware and how do you protect against it?

oldschool

oldschool

Level 82
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,111
Here's a nice article poached from Wilders, which might interest especially those wishing to improve their understanding of malware types, behaviors, etc.:

When you get tricked by a phishing mail and open a document attachment that has a malicious macro or a link to a malicious site, or you download an infected application, there's a file that antivirus software can scan as it's saved to or opened from disk, and there's a trail of file activity that you can look back at if you're trying to review the damage done. To get around those protections, attackers are starting to use 'fileless' malware where the attacks run directly in memory or use system tools that are already installed to run malicious code without saving files that antivirus software can scan.

More about cybersecurity
That could mean tricking a user into running a script that executes a .NET binary directly from memory, like Sharpshooter which downloads the malware payload via the text records of DNS queries. Or it could mean sending malicious network packets that exploit the EternalBlue vulnerability and install the DoublePulsar backdoor in kernel memory. It could mean storing the malicious payload in the Registry as a handler for a file extension so it runs when you open a normal file with that extension. Kovter, for example, used that to download Mimikatz and steal credentials, putting the payload in a DLL that's encoded into a string and run with a PowerShell command, installing a malicious PowerShell comment in the WMI repository and configuring it to run at regular intervals. The malicious code could even be in device firmware or a peripheral like BadUSB; that way, the payload can run in memory and keep coming back even if you reboot, reinstall Windows or reformat the disk.
SEE: Special report: Cyberwar and the future of cybersecurity (free PDF) (TechRepublic)
Fileless techniques can be extremely advanced, and they are harder for traditional antivirus software to detect. But not every advanced malware attack is fileless and throwing the term around doesn't help organisations defend against it, Tanmay Ganacharya told TechRepublic. Ganacharya runs the Microsoft Defender threat research team, which analyses new threats and builds models to detect them. "Fileless is such an overused term, and it has gone from the truly fileless threats, to now people wanting to call almost everything that is even slightly advanced fileless and making it slightly buzzwordy," he says.
To demystify the term, the threat research team started categorising fileless attacks based on how they get onto a PC and where they're hosted. There are more than a dozen combinations of those 'entry points' and malware hosts being used for fileless attacks — some of which are very sophisticated and are rarely used for targeted attacks, and some of which have been commoditised and are showing up more often for common attacks like trying to run a coin miner on your system. But they fall into three broad groups.
fileless-taxonomy.jpg

Image: Microsoft


"Type one is truly fileless, where the attack is delivered on the network or from a device, the payload is handled in memory and almost nothing touches the disk at all," says Ganacharya. EternalBlue and BadUSB are truly fileless attacks — and they're rare. "These are truly the most advanced attacks out there, but most of the attacks that get called fileless don't belong in this group. This kind of attack and exploitation has been getting harder and harder, so it's difficult for these to become commoditised."
Type two is a little more common, Ganacharya says. Type two attacks do use files, but not directly, so they still count as fileless. "Think of scripts being used to launch attacks, whether it's JavaScript or PowerShell. We see a few that target the MBR and try to render machines completely useful so they won't boot. But they mostly use the registry and WMI and various other mechanisms like PowerShell to leverage some of the tools that are already present on the system to sequence setup activities."
That's called 'living off the land', and it's hard to detect with standard antivirus tools because those legitimate tools don't trigger warnings and the files malware does save are obfuscated and full of junk data that's easy to change to create a new attack. You can't clean it up by deleting files either, because you can't just delete key parts of Windows like the Registry and the WMI repository.
The most common fileless attacks actually do use files, but they don't run the attacks from those files directly. "Type three clearly start with a file whether it's a document file with a macro in it, or a Java file, or Flash file, and sometimes even EXE files that drop certain files, but then persistence is fileless," Ganacharya says. "So once the payload is dropped, the payload achieves persistence by either staying just in memory or staying in the registry and running from there."
Many of those Type three attacks come from email, but the file attachments won't show up as obviously malicious if an antivirus scans the files. "You don't generally attach an EXE file, you attach a document with a macro and that links to another file and then that file goes and downloads the payload," Ganacharya explains. VBA code doesn't have a binary that antivirus software can scan, but it can load PowerShell scripts that download and run attacks.
How to detect fileless attacks
...
Continue reading here: What is fileless malware and how do you protect against it?
 
  • Like
  • Thanks
  • +Reputation
Reactions: molhopicante, JB007, alba rosa and 13 others
9

93803123

oldschool said:
Here's a nice article poached from Wilders, which might interest especially those wishing to improve their understanding of malware types, behaviors, etc.:

When you get tricked by a phishing mail and open a document attachment that has a malicious macro or a link to a malicious site, or you download an infected application, there's a file that antivirus software can scan as it's saved to or opened from disk, and there's a trail of file activity that you can look back at if you're trying to review the damage done. To get around those protections, attackers are starting to use 'fileless' malware where the attacks run directly in memory or use system tools that are already installed to run malicious code without saving files that antivirus software can scan.

More about cybersecurity
That could mean tricking a user into running a script that executes a .NET binary directly from memory, like Sharpshooter which downloads the malware payload via the text records of DNS queries. Or it could mean sending malicious network packets that exploit the EternalBlue vulnerability and install the DoublePulsar backdoor in kernel memory. It could mean storing the malicious payload in the Registry as a handler for a file extension so it runs when you open a normal file with that extension. Kovter, for example, used that to download Mimikatz and steal credentials, putting the payload in a DLL that's encoded into a string and run with a PowerShell command, installing a malicious PowerShell comment in the WMI repository and configuring it to run at regular intervals. The malicious code could even be in device firmware or a peripheral like BadUSB; that way, the payload can run in memory and keep coming back even if you reboot, reinstall Windows or reformat the disk.
SEE: Special report: Cyberwar and the future of cybersecurity (free PDF) (TechRepublic)
Fileless techniques can be extremely advanced, and they are harder for traditional antivirus software to detect. But not every advanced malware attack is fileless and throwing the term around doesn't help organisations defend against it, Tanmay Ganacharya told TechRepublic. Ganacharya runs the Microsoft Defender threat research team, which analyses new threats and builds models to detect them. "Fileless is such an overused term, and it has gone from the truly fileless threats, to now people wanting to call almost everything that is even slightly advanced fileless and making it slightly buzzwordy," he says.
To demystify the term, the threat research team started categorising fileless attacks based on how they get onto a PC and where they're hosted. There are more than a dozen combinations of those 'entry points' and malware hosts being used for fileless attacks — some of which are very sophisticated and are rarely used for targeted attacks, and some of which have been commoditised and are showing up more often for common attacks like trying to run a coin miner on your system. But they fall into three broad groups.
fileless-taxonomy.jpg

Image: Microsoft


"Type one is truly fileless, where the attack is delivered on the network or from a device, the payload is handled in memory and almost nothing touches the disk at all," says Ganacharya. EternalBlue and BadUSB are truly fileless attacks — and they're rare. "These are truly the most advanced attacks out there, but most of the attacks that get called fileless don't belong in this group. This kind of attack and exploitation has been getting harder and harder, so it's difficult for these to become commoditised."
Type two is a little more common, Ganacharya says. Type two attacks do use files, but not directly, so they still count as fileless. "Think of scripts being used to launch attacks, whether it's JavaScript or PowerShell. We see a few that target the MBR and try to render machines completely useful so they won't boot. But they mostly use the registry and WMI and various other mechanisms like PowerShell to leverage some of the tools that are already present on the system to sequence setup activities."
That's called 'living off the land', and it's hard to detect with standard antivirus tools because those legitimate tools don't trigger warnings and the files malware does save are obfuscated and full of junk data that's easy to change to create a new attack. You can't clean it up by deleting files either, because you can't just delete key parts of Windows like the Registry and the WMI repository.
The most common fileless attacks actually do use files, but they don't run the attacks from those files directly. "Type three clearly start with a file whether it's a document file with a macro in it, or a Java file, or Flash file, and sometimes even EXE files that drop certain files, but then persistence is fileless," Ganacharya says. "So once the payload is dropped, the payload achieves persistence by either staying just in memory or staying in the registry and running from there."
Many of those Type three attacks come from email, but the file attachments won't show up as obviously malicious if an antivirus scans the files. "You don't generally attach an EXE file, you attach a document with a macro and that links to another file and then that file goes and downloads the payload," Ganacharya explains. VBA code doesn't have a binary that antivirus software can scan, but it can load PowerShell scripts that download and run attacks.
How to detect fileless attacks
...
Continue reading here: What is fileless malware and how do you protect against it?
Click to expand...

The only way to assuredly protect against fileless malware is to block file types and the underlying interpreters on a full-time basis. Sometimes, even libraries (DLLs) need to be blocked. These steps cover both disk and memory, not to mention the vast majority of exploits. Anti-exectuables that allow something to launch and then hold it in a suspended state are susceptible to bypasses. And AV, behavioral monitoring and sandboxing have all proven to fail in corner cases. Coders cannot foresee everything that is possible. So they deserve a reasonable amount of understanding. A good best-effort is good enough. Unreasonable expectations are not acceptable.

That's not to say one is much better than the other. The determinate is how paranoid the user is. If they want the highest security, then they use SRP. If they want usability with high security, then they use one of the more popular security software. Afterall, in the end we are sometimes talking about differences as small as 0.2 or 0.1 %. It's pointless to argue over such tiny, practically meaningless differences.

Here at engineering user lab, SRP always works best. But whatever, you have a lot of solid options available to you.
 
  • Like
Reactions: JB007, [correlate], oldschool and 4 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Most AVs offer limited protection against fileless malware. None offer comprehensive protection, unless you are a dedicated and knowledgeable tweaker. That's one of the main reasons why people use advanced security solutions in addition to their AV.
 
  • Like
Reactions: JB007, Andy Ful, blackice and 2 others
9

93803123

shmu26 said:
Most AVs offer limited protection against fileless malware. None offer comprehensive protection, unless you are a dedicated and knowledgeable tweaker. That's one of the main reasons why people use advanced security solutions in addition to their AV.
Click to expand...

Ai\ML will be along in short enough order to scramble our eggs. That way we won't have to worry so much. We'll be too busy drooling over the tarragon-chervil-basil aroma to care much about any PC security stuff.

Oh man. I can't wait for that Hollandaise sauce. Yummy.
 
  • Like
Reactions: JB007, notabot, [correlate] and 1 other person

Similar threads

Slerion
    • Like
Hot Take Windows Defender and their "Biased" detections.
Replies
5
Views
376
Microsoft Defender
Slerion
Slerion
silversurfer
    • Like
    • +Reputation
NodeStealer Malware Hijacking Facebook Business Accounts for Malicious Ads
Replies
0
Views
829
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
Malware News New Bandook RAT Variant Resurfaces, Targeting Windows Machines
Replies
0
Views
1,176
Security News
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top