The Art of Fileless Malware

Malware has become a critical trend for companies around the world. We are looking at ransomware and other threats already lurking around the corner. It is right that the ability to innovate in cybercrime cannot be ignored, and the proof of this is fileless malware — a type of malware that can be executed without installing software on a victim’s machine. Instead, built-in tools on Windows operating system (OS) are hijacked by cyber attackers and used to execute the attacks.

Fileless attacks are one of the tools of choice for hackers because of the imperceptible way they can infect systems with no trace. Within this scope, security firms reacted by improving their detection capabilities. Nonetheless, cyber attackers remain one step ahead of the defenders, this time shifting the approach to fileless techniques to remain undetectable.

According to Google Trends, by analyzing the last 5 years, in the year of 2017, there was another direction for fileless malware. Indeed, it has become a new trend in the cybercrime landscape.

Figure 1: Fileless Malware trend over the last 5 years.

However, fileless malware attacks are not new as many of the techniques have been around for a while. In-memory exploits, for instance, were prominent in the SQL Slammer worm from the early 2000s. Also, the recent Equifax breach is an example of a fileless attack that used a command injection vulnerability in Apache Struts.

This threat does not require the download and execution of malicious files, and it is not associated with any particular attack vector. Instead, it can take advantage of zero-day vulnerabilities in operating systems or inject malicious code into memory from an application downloaded from an illegitimate website. Then, this technique takes advantage of default Windows tools, particularly PowerShell and Windows Management Instrumentation (WMI), and uses them for (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Pedro Tavares. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/drzv5uW7NOg/