Fileless Malware

A new cyberattack has emerged that is a threat to your systems, data, and your business. Fileless malware is an email-borne threat that is a payload-less email attack that runs in a computer's random access memory (RAM), not from a malicious file, and exploits existing trusted system applications to install and run malicious code on target systems.?

After the code is installed, it is used to encrypt and exfiltrate sensitive data and transfer it directly to the attacker. This variant of malware is typically delivered via a phishing email and has become a common method of attack by cybercriminals. This is because it is effective in evading security defenses, eavesdropping on corporate networks, compromising systems, and gaining access to sensitive data. A report from the Ponemon Institute has found that fileless malware attacks are 10 times more successful than file-based ones.

Many businesses lack the necessary means to combat this stealthy threat and are ultimately paying the price of increased data theft, financial loss, system downtime, and damage to their reputation. Within the past few years, fileless malware has been responsible for a large portion of security incidents including the 2017 Equifax breach which compromised the personal information of 147.7 million Americans, and the 2016 Democratic National Committee (DNC) hack in which confidential documents and emails from Hillary Clinton’s presidential campaign were leaked by the Russian government.

As opposed to traditional malware, these attacks lack a signature because they don’t leverage executable files. Signature-based antivirus software and the majority of traditional email security solutions are unable to detect it, as a result. This leaves businesses’ critical data, accounts and systems unprotected and vulnerable to be compromised.

Anatomy of a Fileless Malware Attack

Fileless malware attacks are carried out in a series of clearly-defined steps, beginning with the initial lure of a phishing scam and ending with the compromise of sensitive data. Steps for understanding how these attacks work include:?

Step 1: A Victim Opens The Phishing Link

A victim opens a malicious URL delivered in a phishing email, he or she is unknowingly led to a fraudulent website.

Step 2: The Fraudulent Website Runs An Application Triggering An Exploit?

The fraudulent website scans for known vulnerabilities in applications such as Flash or Java, looking to run malicious code in the browser memory. After detecting a flaw, exploits in the vulnerable application are triggered.

Step 3: The Exploited Application Launches An LOLBin With Command Line Operating In-Memory

The exploited program launches a known and trusted built-in operating system tool, or “LOLBin”, such as PowerShell, Microsoft Office Macros, or WMI, with a command-line operating in memory. This technique is known as “living off the land”.

Step 4: Encrypted Script Identifies Target Data

The launched LOLBin will download an encrypted script from the command-and-control server operated by the attacker. The server is designed to identify targeted data from the system of the victim.

Step 5: Successful Attacks Send Data Directly to The Attacker

Once the targeted data has been identified it is sent to the attacker directly. As opposed to other malware variants, a fileless malware attack will not leave a footprint or signature on the attacked system. The system tools that are exploited in these attacks cannot be disabled, so they remain until the operators force them to stop or they are rendered inoperable.

Preventing An Attack

Best practices for protecting against fileless malware include:

• Make sure that all software and patches are up-to-date.
• Uninstall applications that are not being used and disable unnecessary services and program features for all necessary applications.
• Restrict admin privileges - only grant the privileges that are necessary for a user to do their job.
• Monitor network traffic and check activity logs frequently.
• Require that employees take part in security awareness training.
• In the event that an infection does occur, change passwords immediately once you become aware of the infection and again after disinfection.
• Implement a proactive, layered supplementary email security solution that provides real-time protection against fileless malware and other sophisticated modern cyberattacks by creating a safeguarded environment around the user. Selecting a solution that is accompanied by managed services can simplify administration, enhance security and free up valuable IT resources - delivering a rapid return on investment (ROI).

Conclusion

To protect your business and your assets from fileless malware and other emerging attacks, consider implementing adaptive, layered email security defenses. As security defenses evolve, attackers continue to develop new methods for evading protection. Because of this, it is imperative that organizations choose a solution that is constantly learning from the threats that challenge it, and rapidly updating its protection to protect against the latest attacks.