The evolution of the new and difficult-to-detect category of fileless attacks may soon take an insidious turn with the development of what some researchers are calling vaporworms.
As the name suggests, fileless malware differs from conventional malware in that it doesn’t require a file to be created and saved on a computer. Instead, it leverages scripts or even legitimate running processes to inject itself directly into a device’s memory. But what’s on the horizon for this emerging threat?
The Threat of Fileless Attacks
Trend Micro first reported on a fileless payload with wormlike replication capabilities in November 2018. The malware, a fileless version of the Bladabindi backdoor, avoided detection by depositing its payload in the Windows registry, which is a key-value database that exists only in Windows memory. It then created another registry entry that instructed Windows to load it at boot time. Because the entire process took place in memory, it didn’t leave a trail on the infected computer’s hard disk drive.
The emergence of vaporworms indicates that fileless malware has now taken on self-propagating capabilities, a development that could greatly magnify its impact. However, the only vaporworms that have been detected so far in the wild propagate by installing copies of themselves on removable storage devices, such as flash drives and external disk drives. This enables them to spread without leaving a trace on the host’s primary storage media. Every time an infected drive is plugged into a new machine, the infection cycle begins again. This is a fairly primitive form of propagation, but a potentially disturbing harbinger of things to come.
This kind of threat can be detected, but not with conventional anti-malware products that work by matching files stored on disks to known malware signatures. Since this new kind of malware never saves a copy of itself to a disk, it can’t be detected by these more traditional scanners. Unfortunately, detection currently must take place after the fact, and an intruder can do a lot of damage if the attack is not intercepted early.
An Old Nemesis Reinvented
Fileless attacks actually aren’t new — the Code Red worm that infected nearly 360,000 Microsoft Internet Information Services servers in 2001 was an early version of a fileless threat — but the concept has re-emerged over the past couple years with a focus on endpoint devices. According to SentinelOne, fileless attacks rose by 94 percent in the first half of 2018. Given how efficiently threat actors can compromise endpoints using this tactic, the threat of fileless malware shows no signs of slowing down.
Trend Micro’s discovery of a variation of the well-known Bladabindi backdoor alarmed many security researchers. Analysts found an open-source scripting tool that worked with PowerShell to compile itself into a single executable file that installed the malware, modified the registry and installed hidden copies of itself on removable media. This made it both difficult to detect and easy to spread.
“The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat,” wrote Trend Micro’s Carl Maverick R. Pascual.
It was the self-replication features that gave birth to the term vaporworms. Once malware acquires the ability to infiltrate network shares, it can spread at exponential speed. Some researchers have drawn analogies to the WannaCry/WanaCrypt0r 2.0 ransomware attack of 2017, which hit organizations in more than 100 countries in just 48 hours.
When it Comes to Vaporworms, You Can’t Be Too Cautious
So far, there is no evidence that any fileless variants use networks to replicate, but the possibility should have enterprise security teams on high alert. For now, the best protection is to closely monitor the use of removable storage devices, double down on endpoint security and restrict the use of tools like PowerShell.
While conventional anti-malware protection may not detect in-memory signatures, makers of those tools are continually evolving their products to adapt to new threats. In the meantime, security professionals should use intrusion prevention systems to look for signs of vaporworm damage and limit the rate of infection. Endpoint detection solutions can also monitor for suspicious activity that indicates the presence of a backdoor Trojan.
The nightmare scenario is that fileless malware merges with ransomware to create a highly malicious and almost undetectable vaporworm threat that can infect entire enterprise networks in a matter of minutes. There’s no indication this has happened yet, but as is always the case with cybersecurity, you can’t be too cautious.