Fileless Malware on the Rise
According to reports analyzing the state of the threat landscape, fileless malware incidents are up to some 265% in the first half of 2019 when compared to the same period in 2018. Fileless malware sometimes has been referred to as a zero-footprint attack or non-malware attack. However, fileless malware may be the best name for the attack method, as the attack is not dependent on end users downloading and running malware via compromised files. Rather, fileless malware executes malicious scripts by piggybacking on legitimate software packages. More often than not, the malware resides in the computer’s random access memory (RAM), not installed on the hard drive.
This summary of fileless malware does little to cover the intricacies of such an attack.
The Big Deal With Fileless Malware
As mentioned, fileless malware is not dependent on files being downloaded, installed and executed. It uses a far sneakier method of infecting a computer and executing, hiding within legitimate software packages, user tools and applications that already are installed on the computer. This effectively hides the malware on the computer, making it near impossible for legacy anti-virus packages from detecting its presence.
By being stored in RAM rather than the hard drive, the stealth aspect of the malware is further increased. The malware itself is executed only when the legitimate software or application is running, making detection even more difficult, as security software might incorrectly assume that nothing untoward is happening. In analyzing such threats researchers have discovered numerous ways attackers use to infect victims. Some are traditional, others not so traditional.
The following are a few ways been seen in the past exploited by attackers:
- Phishing emails that include malicious downloads and links. With this method, the majority of malware found is installed on the hard drive. In the case of fileless ransomware, code can be remotely executed from memory or when a script is executed.
- Legitimate applications. Compromised software packages installed such as Word and JavaScript can be hijacked by attackers to execute malware.
- Native application. Operating systems come with a host of preinstalled tools, such as PowerShell and Windows Management Instrumentation (WMI), which can be exploited by attackers to run malicious code while piggybacking with legitimate code.
- Lateral infection. By abusing PowerShell, certain fileless variants have been seen moving laterally across networks, infecting other computers on the same network.
- Malicious websites masquerading as legitimate websites. An attacker will create a website to look almost exactly like a legitimate business. When a user visits the website, in the background the website scans for vulnerabilities in plugins which would allow malicious code to be run in the browser’s memory.
Another trait of fileless malware that makes it more difficult to combat centers around the malware being stored in the computer’s RAM—it only runs when the computer is running and disappears when the machine is rebooted. This makes detection and analysis more difficult. In certain cases, the malware runs only when the application it is exploiting is running or remotely executed when the attacker wants it to be executed.
Fileless Malware Variants
Like with other types of malware, those behind them are constantly evolving the malware, meaning that those operating the malware move to make the malware more difficult to defend against. Researchers have seen three broad types of fileless attacks, though it is important to remember that attackers will use whatever tools at their disposal, so these three types are not set in stone.
The first broad type of fileless malware abuses the Window’s registry. Referred to as Window’s registry registration, the attack normally involves the use of a malicious file or link; however, rather than writing the malware to the hard drive the malware writes and executes code to the registry. In the wild, Kovter and Powelike malware exploited this tactic.
The second broad type is called memory code injection. This tactic involves hiding malicious code in the memory of legitimate applications. While applications critical to running Windows are operational, the malicious code distributes to other critical applications by reinjecting itself in them. The first step to a successful memory code injection is to exploit vulnerabilities in browsers or popular programs such as Flash.
The third type of fileless malware is a combination attack, meaning that it is not completely fileless. These attacks are sometimes referred to as script-based and are best described using real-world examples.
Fileless Attacks in the Wild
Script-based fileless attacks have been seen in the wild with the SamSam ransomware and Operation Cobalt Kitty. SamSam has been one of the most prolific ransomware variants since the emergence of the malware type. It is known for quickly adopting a targeted approach to distributing the malware. The activity of the ransomware has remained fairly consistent over its lifespan, and its developers continually improve it. The ransomware mainly targets U.S. organizations, with perhaps the most well-known attack involving the City of Atlanta falling victim to the ransomware. Costs associated with the infection was estimated at more than USD $10 million.
The ransomware is considered to be an example of a semi-fileless attack. Once infected, the ransomware payload is not executed but remains undetected on the infected machine. The payload is run-time dependent, meaning it can be analyzed only when the attack occurs, as it encrypting targeted files. Further, the payload can be initiated only once the attacker inputs a password. The same is true for the decryption process once the ransom has been paid. These tactics make it best-suited for the targeted approach adopted by those behind SamSam.
The second example of script-based a fileless attack can be seen with Operation Cobalt Kitty. The advanced persistent threat (APT) group that was behind Operation Cobalt Kitty targets businesses and other organizations to steal proprietary business information. In one attack the group maintained a presence on the targeted network for at least a year. The group gains a foothold into the network via a spear-phishing email designed to trick a user into clicking the malicious link. Operation Cobalt Kitty was a complex attack conducted by a knowledgeable and well-resourced group. The first phase of the attack involved the fileless execution of code within PowerShell using a range of custom payloads.
In Kovter and Powelike—the examples of a Windows registry attack—the malware maintained persistence while residing in the registry. Both malware types could install on the hard disk if it wanted to but would prefer to remain persistent via the registry or PowerShell if installed on the target machine. In both cases, the malware would further download other malware strains when the attacker wanted to do so.
Purple Fox
In September 2019, reports emerged from security firms that a previously known fileless malware, Purple Fox, incorporated a rootkit in a newer version. Previously Purple Fox infected at least 30,000 users and was used to distribute cryptominers by exploiting the Nullsoft Scriptable Install System (NSIS) tool.
Previous versions of Purple Fox were known to use a rootkit to assist in infection. The same is true for the latest version. A rootkit can be defined as a collection of tools and software, sometimes legitimate pieces of software used to gain access and control to a targeted computer. Often, rootkits contain tools to exploit vulnerabilities known in certain software packages to gain access and command. The rootkit used in both instances was Rig, which previously was used to deliver a multitude of payloads including downloader trojans, ransomware, cryptocurrency-mining malware and information stealers.
The latest version of Purple Fox differs from the previous version in one important respect: Instead of executing from the NSIS tool, it now executes from PowerShell. This development makes Purple Fox a completely fileless malware; the latest version of Purple Fox deploys a cryptominer.
Protecting Against Fileless Malware
Legacy security software is incapable of detecting fileless malware in any reliable way. This does not mean that such malware can’t be defended against. Behavioral anti-virus packages and security solutions can detect fileless attacks, as can real-time monitoring.
Given the level of stealth and persistence fileless malware attacks can grant the attacker, it is little wonder they have seen a spike in use over the first half of 2019. Since 2013, when such attacks were used widely, researchers have seen how attackers exploit legitimate tools to further their illegal aims. Luckily, changes in tactics mean researchers are now better able to defend against such attacks. These tactics have not been adopted by all yet, so users will remain vulnerable to such attacks.