The threat of fileless malware and its potential to harm enterprises is growing.
Fileless malware leverages what threat actors call “living off the land,” meaning the malware uses code that already exists on the average Windows computer. When you think about the modern Windows setup, this is a lot of code: PowerShell, Windows Management Instrumentation (WMI), Visual Basic (VB), Windows Registry keys that have actionable data, the .NET framework, etc. Malware doesn’t have to drop a file to use these programs for bad intentions.
The combination of all of these code sources is generally called process hollowing — a tactic in which malware uses a particular process as a storage container and distribution mechanism for its code. One recent attack discovered by FireEye combined PowerShell, VB scripts and .NET in a single lethal package.
Attacks leveraging PowerShell are particularly on the rise. Last fall, IBM X-Force Incident Response and Intelligence Services (IRIS) demonstrated just how potent PowerShell-based exploits can be, since code is executed directly from a PC’s memory. Plus, PowerShell can be used for remote access attacks and get around application whitelisting protections.
Given this growing threat, what can security teams do to help defend their organizations against fileless malware?
Ensure Strong Companywide Security Hygiene
The general thrust of how to combat fileless malware begins with making sure your Windows computers are patched and up to date. Since one of the first tenets of threat actors is taking advantage of unpatched, older systems, to delay patch management is to introduce a vulnerability into your network. The spread of EternalBlue illustrated this well; the patch was available for more than a month before the exploit was launched.
The next step is to ensure you have a solid security awareness training regimen. This doesn’t mean running annual exercises or sending out the occasional test phishing email. Instead, come up with a program that operates continuously and is always making users aware of the dangers of email attachments and clicking on links willy-nilly. Most fileless campaigns begin their life with a simple phishing email, so it is important to try to nip these entry points quickly.
Third is to understand the behavior of built-in Windows code so you can spot anomalies, such as when encrypted PowerShell scripts are installed to run as a service. The combination of the two — the encryption and the service feature — should be a red flag. Analysts sometimes see compression tools instead of or in addition to encryption as well. Another red flag is finding a PowerShell script hiding in the \TEMP directory; while not technically fileless, this code quickly moves to more dangerous parts of the operating system (OS).
Understand Your Access Rights and Privileges
Organizations should understand what happens when fileless malware first detonates. Just because you have a user who clicked on a malicious attachment doesn’t mean the malware will stay on their PC. Instead, a typical behavior is for the malware to move across your network to find a richer target, such as a domain controller or web server. To prevent this, you should segment your network carefully and make sure you understand access rights, especially for third-party applications and users.
A common attack method is escalating privileges as malware moves around the network, which can be done using PowerShell, for example. They don’t call it PowerShell for nothing: An actor can issue commands for reverse Domain Name System (DNS) queries, enumerate access control lists on any network share and find members of a particular domain group. This means one of the more basic controls for any malware is to restrict administrator rights to the minimum number of systems.
Many fileless exploits count on the profligate use of rights that aren’t needed or are attached to users that have since left the company, or outdated rights for users who don’t access the targeted applications anymore. Companies should develop methods to detect when these situations occur and be able to shut them down quickly. Organizations should also disable Windows programs that aren’t needed. Not everyone needs PowerShell running on their computer, or support for the .NET framework. Even more effective is to eliminate support for ancient protocols such as SMBv1, which was what caused all the trouble with WannaCry.
Finally, while PowerShell can get around application whitelisting, it is still a good idea to deploy such controls. The more you know about how your users consume applications, the more likely you will be able to catch a piece of malware doing something that no other legit app has been observed doing. Another way is to disable macros, including Office macros, which are often abused by malware writers, although this isn’t a universal solution because many users do need them to do their jobs.
As a side note, Windows can be used for more than just desktop computers, and threat actors will sometimes target embedded Windows point-of-sale (POS) machines. The attraction here is that these computers have direct access to payment card data, so having extra protection for this population is crucial.
Combat Fileless Malware Threats With Careful Coordination
Microsoft hasn’t been standing still while fileless attacks run rampant. In fact, the company has developed an open interface called Antimalware Scan Interface that some vendors have begun using to make it easier to detect the “tells” of the fileless world, especially when it comes to analyzing scripting behavior.
In addition, anyone who wants to gain a better understanding of fileless attacks should check out the open source project AltFS. This is a complete fileless virtual file system to demonstrate how these techniques work, and it can be deployed on Windows and Mac PCs.
As you can see, fighting fileless malware attacks will take some serious effort and careful coordination among a variety of tools and techniques. With more unpredictable malware threats on the horizon, organizations should take steps today to strengthen their defenses.