Cylance vs. Fileless Malware

Fileless, Malwareless, In-Memory Malware… regardless of what trendy names these attacks are given by the press, they all share the same attack characteristics. Generally speaking, these attacks do not write files to disk, but rather, they exist and operate solely within system memory. They often utilize common admin tools such as PowerShell that are widely available yet rarely controlled on most enterprise systems. As a result, these attacks are often called ‘living off the land’ attacks as well.   

Today’s Threat Spotlight blog by the Cylance Threat Guidance team highlights the technical details of two such malware families. Our endpoint protection product CylancePROTECT® uses artificial intelligence and machine learning to easily thwart these types of attacks in your enterprise.

Introduction

Fileless malware is relatively sophisticated to build and deploy, and as a result, it is still relatively rare to encounter in the wild, but still poses a very real threat. It differentiates itself from most other malware by not leaving files on disk – hence its name. Instead, it uses a variety of tricks to stay resident in memory and execute commands that already exist on the machine.

Often, it uses a tool like PowerShell to coordinate the attacks and the use of a meterpreter payload that uses in-memory DLL injection stagers to set up additional attacks. As a result of not writing files to disk, it poses a very unique challenge to traditional security products that rely on inspecting files on disk in order to match a detection to a signature.

Fileless Malware is Here to Stay

Two families of fileless malware, Poweliks and Kovter use similar techniques to infect a system. First, JavaScript code is written into the registry under the Run key along with an AutoRun entry that is used to read and decode the encoded JavaScript. (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog