The evolution of the new and difficult-to-detect category of fileless attacks may soon take an insidious turn with the development of what some researchers are calling vaporworms.

As the name suggests, fileless malware differs from conventional malware in that it doesn’t require a file to be created and saved on a computer. Instead, it leverages scripts or even legitimate running processes to inject itself directly into a device’s memory. But what’s on the horizon for this emerging threat?

The Threat of Fileless Attacks

Trend Micro first reported on a fileless payload with wormlike replication capabilities in November 2018. The malware, a fileless version of the Bladabindi backdoor, avoided detection by depositing its payload in the Windows registry, which is a key-value database that exists only in Windows memory. It then created another registry entry that instructed Windows to load it at boot time. Because the entire process took place in memory, it didn’t leave a trail on the infected computer’s hard disk drive.

The emergence of vaporworms indicates that fileless malware has now taken on self-propagating capabilities, a development that could greatly magnify its impact. However, the only vaporworms that have been detected so far in the wild propagate by installing copies of themselves on removable storage devices, such as flash drives and external disk drives. This enables them to spread without leaving a trace on the host’s primary storage media. Every time an infected drive is plugged into a new machine, the infection cycle begins again. This is a fairly primitive form of propagation, but a potentially disturbing harbinger of things to come.

This kind of threat can be detected, but not with conventional anti-malware products that work by matching files stored on disks to known malware signatures. Since this new kind of malware never saves a copy of itself to a disk, it can’t be detected by these more traditional scanners. Unfortunately, detection currently must take place after the fact, and an intruder can do a lot of damage if the attack is not intercepted early.

An Old Nemesis Reinvented

Fileless attacks actually aren’t new — the Code Red worm that infected nearly 360,000 Microsoft Internet Information Services servers in 2001 was an early version of a fileless threat — but the concept has re-emerged over the past couple years with a focus on endpoint devices. According to SentinelOne, fileless attacks rose by 94 percent in the first half of 2018. Given how efficiently threat actors can compromise endpoints using this tactic, the threat of fileless malware shows no signs of slowing down.

Trend Micro’s discovery of a variation of the well-known Bladabindi backdoor alarmed many security researchers. Analysts found an open-source scripting tool that worked with PowerShell to compile itself into a single executable file that installed the malware, modified the registry and installed hidden copies of itself on removable media. This made it both difficult to detect and easy to spread.

“The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat,” wrote Trend Micro’s Carl Maverick R. Pascual.

It was the self-replication features that gave birth to the term vaporworms. Once malware acquires the ability to infiltrate network shares, it can spread at exponential speed. Some researchers have drawn analogies to the WannaCry/WanaCrypt0r 2.0 ransomware attack of 2017, which hit organizations in more than 100 countries in just 48 hours.

When it Comes to Vaporworms, You Can’t Be Too Cautious

So far, there is no evidence that any fileless variants use networks to replicate, but the possibility should have enterprise security teams on high alert. For now, the best protection is to closely monitor the use of removable storage devices, double down on endpoint security and restrict the use of tools like PowerShell.

While conventional anti-malware protection may not detect in-memory signatures, makers of those tools are continually evolving their products to adapt to new threats. In the meantime, security professionals should use intrusion prevention systems to look for signs of vaporworm damage and limit the rate of infection. Endpoint detection solutions can also monitor for suspicious activity that indicates the presence of a backdoor Trojan.

The nightmare scenario is that fileless malware merges with ransomware to create a highly malicious and almost undetectable vaporworm threat that can infect entire enterprise networks in a matter of minutes. There’s no indication this has happened yet, but as is always the case with cybersecurity, you can’t be too cautious.

More from Endpoint

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …