Fileless malware has received a lot of attention lately, and with good reason. In the last year, fileless malware, also commonly referred to as a zero-footprint attack, has successfully infiltrated a number of financial and other institutions that are generally thought of as being very secure. These kinds of attacks are evolving—a recent report by McAfee found that fileless malware rose 267 percent in Q4 2017—and are now even being used by cybercriminals to mine cryptocurrency.
Any new malware variant will cause a stir if it’s successfully disrupting our lives, at least until vendors patch vulnerabilities and anti-malware tools can detect it. Once under control, the attention given to most malware quickly subsides. But if you cannot detect it to begin with, how can you stop it? For many organizations, there will be no quick resolution—we are in this one for the long haul.
So why is fileless malware so dangerous, and why will it continue to expand for the foreseeable future? In simple terms: It works. Like everyone else, cybercriminals will usually take the path of least resistance, and since this type of malware successfully defeats most security controls, it is rapidly becoming the attack methodology of choice. Its success is due to a number of factors.
No Signatures to Detect
Fileless malware resides and operates completely within RAM and does not generally place malicious executables on the file system. Most malware detection tools on the market still depend on and look for known malware signatures within objects and files. Since these products are ineffective against fileless malware, companies that deploy these tools need to adopt new technologies that are fundamentally different from their existing products, meaning organizations will need to dedicate a significant amount of time and resources on redesigning their solutions.
Static Analysis Doesn’t Work
Static document analysis has become an essential component of advanced malware detection because of its ability to find structural or other abnormalities in the file itself, not in how it is executed. While there are a number of malware detection tools on the market built to hunt for malware by detecting these abnormalities, they suffer from the same problem as signature-based technologies since, in this case, there is no file to detect and/or analyze.
RAM is an Ideal Location for Malware
Because fileless malware resides entirely in RAM, most security controls can’t even see it, let alone analyze it. So, it’s easy to see why it is attractive for malware authors. Executing malicious code in the memory of a system that doesn’t shut down or reboot for extended periods of time is an ideal situation.
It’s Profitable to Cybercriminals
It takes a great deal of time to develop new malware. To maximize their return on investment, cybercriminals will look for malicious technologies that can’t be easily defeated. Fileless malware is fundamentally different, and a lot of time will pass before most organizations can effectively respond to it. To put it more simply: The longer it takes to detect the malware, the more profitable it will become to cybercriminals.
Overall, fileless malware is stealthy and dangerous. It is not easy to detect, and therefore not easy to identify. Although there are solutions that have figured out how to effectively detect and mitigate it, the majority of organizations aren’t adding this type of protection to their security suite. Because this malware is so attractive to cybercriminals, these kinds of attacks will continue to rapidly expand for the foreseeable future, and all organizations should prepare.