The evolution of the new and difficult-to-detect category of fileless attacks may soon take an insidious turn with the development of what some researchers are calling vaporworms.

As the name suggests, fileless malware differs from conventional malware in that it doesn’t require a file to be created and saved on a computer. Instead, it leverages scripts or even legitimate running processes to inject itself directly into a device’s memory. But what’s on the horizon for this emerging threat?

The Threat of Fileless Attacks

Trend Micro first reported on a fileless payload with wormlike replication capabilities in November 2018. The malware, a fileless version of the Bladabindi backdoor, avoided detection by depositing its payload in the Windows registry, which is a key-value database that exists only in Windows memory. It then created another registry entry that instructed Windows to load it at boot time. Because the entire process took place in memory, it didn’t leave a trail on the infected computer’s hard disk drive.

The emergence of vaporworms indicates that fileless malware has now taken on self-propagating capabilities, a development that could greatly magnify its impact. However, the only vaporworms that have been detected so far in the wild propagate by installing copies of themselves on removable storage devices, such as flash drives and external disk drives. This enables them to spread without leaving a trace on the host’s primary storage media. Every time an infected drive is plugged into a new machine, the infection cycle begins again. This is a fairly primitive form of propagation, but a potentially disturbing harbinger of things to come.

This kind of threat can be detected, but not with conventional anti-malware products that work by matching files stored on disks to known malware signatures. Since this new kind of malware never saves a copy of itself to a disk, it can’t be detected by these more traditional scanners. Unfortunately, detection currently must take place after the fact, and an intruder can do a lot of damage if the attack is not intercepted early.

An Old Nemesis Reinvented

Fileless attacks actually aren’t new — the Code Red worm that infected nearly 360,000 Microsoft Internet Information Services servers in 2001 was an early version of a fileless threat — but the concept has re-emerged over the past couple years with a focus on endpoint devices. According to SentinelOne, fileless attacks rose by 94 percent in the first half of 2018. Given how efficiently threat actors can compromise endpoints using this tactic, the threat of fileless malware shows no signs of slowing down.

Trend Micro’s discovery of a variation of the well-known Bladabindi backdoor alarmed many security researchers. Analysts found an open-source scripting tool that worked with PowerShell to compile itself into a single executable file that installed the malware, modified the registry and installed hidden copies of itself on removable media. This made it both difficult to detect and easy to spread.

“The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat,” wrote Trend Micro’s Carl Maverick R. Pascual.

It was the self-replication features that gave birth to the term vaporworms. Once malware acquires the ability to infiltrate network shares, it can spread at exponential speed. Some researchers have drawn analogies to the WannaCry/WanaCrypt0r 2.0 ransomware attack of 2017, which hit organizations in more than 100 countries in just 48 hours.

When it Comes to Vaporworms, You Can’t Be Too Cautious

So far, there is no evidence that any fileless variants use networks to replicate, but the possibility should have enterprise security teams on high alert. For now, the best protection is to closely monitor the use of removable storage devices, double down on endpoint security and restrict the use of tools like PowerShell.

While conventional anti-malware protection may not detect in-memory signatures, makers of those tools are continually evolving their products to adapt to new threats. In the meantime, security professionals should use intrusion prevention systems to look for signs of vaporworm damage and limit the rate of infection. Endpoint detection solutions can also monitor for suspicious activity that indicates the presence of a backdoor Trojan.

The nightmare scenario is that fileless malware merges with ransomware to create a highly malicious and almost undetectable vaporworm threat that can infect entire enterprise networks in a matter of minutes. There’s no indication this has happened yet, but as is always the case with cybersecurity, you can’t be too cautious.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…