The relentless surge of fileless malware, among other prevalent attack methods, has been noticeable for a few years. Fileless malware executes the attack without installing malware on the victim’s system/network to obfuscate various detection methods. 

Unlike file-based malware attacks, many antivirus engines are still struggling to detect most of such attacks through signature-based detection methods. 

In fileless attacks, threat actors ensure to do their job without leaving any digital footprint on the victim’s system. In easy words, a fileless attack refrains from storing files on the victim’s system or network. A fileless attack abuses legitimate system tools, such as PowerShell, .NET framework, WMI (Windows Management Instrumentation) processes, etc., on Windows machines/networks to retrieve system and other critical information. If the victim is a macOS user, the adversaries manipulate osascript, among other system-installed applications. Exploiting MS Office macros is another common trend. 

Why is Fileless malware lethal? 

Fileless malware, aka zero-footprint malware or non-malware attacks, are often used as part of a high-profile cyber attack. Modern attackers prefer fileless malware instead of file-based counterpart for three primary reasons-  

Surreptitious nature

Like other sophisticated cyber kill chains, a fileless threat attack involves critical stages like persistence, obfuscation, execution, and information stealing. 

However, the exceptional strength of a fileless attack is how it utilizes the existing system tools to accomplish the job instead of downloading malicious tools from external sources. 

Trust factor

A Fileless attack exploits system-integrated tools such as scheduled tasks, PowerShell, MBR, Registry, WMI Repo, etc. Legacy antivirus systems often keep these system tasks on the exception list. Sometimes fileless attacks also abuse hardware resources such as MotherBoard Firmware, Network card, etc., or popular file formats to achieve fileless persistence such as EXE, Java, document files, etc. Such system software, hardware, and file formats serve a significant purpose in running the system and could hinder the system’s performance if blocked. 

Read More: C2-As-A-Service (C2aaS) And Its Evil Impact On The Global Threat Landscape

LOLBins

Manipulating system tools for malicious purposes is called the living-off-the-land or LOL technique. The malicious actors have been using the LOL technique for over two decades, mainly for executing fileless attacks. This technique helps the adversaries fly under the radar without writing files onto the system disk. The legitimate set of tools is called LOLBins.  

Infamous LOLBins

Every operating system has its fair share of LOLBin programs available. For example, the most popular LOLBin on Windows operating systems are PowerShell, WMI, Windows Registry, PSExec, Mshta (Microsoft Scripting Host), MSBuild, etc.

Significant cyber-attacks exploiting LOLBins- A Timeline

Fileless malware often leverages LOLBins files for executing malicious jobs such as evasion, malware payload delivery, privilege escalations, lateral movement, and surveillance.  

  • For example, sometime back, K7 Labs spotted a macOS malware designed to deliver a trojanised application disguised as a legitimate cryptominer. Developed by North-Korea based notorious APT group, Lazarus, the malware would execute a remote payload directly onto the system memory. 
  • In a similar attack, the perpetrators manipulated macOS’s AppleScript, an OS-specific scripting language. In such attacks, the threat actor uses a shell script to deliver a hidden launch agent that executes another shell script written in AppleScript.
  • The malicious binary files are loaded directly onto the memory to ensure that they get purged and leave no footprint once the system is restarted. 
  • Like AppleScript, the adversaries also prefer writing malicious payloads and executing in-memory via other scripting engines such as JavaScript, VBScript, or VBA or exploiting a LOLBin such as Microsoft PowerShell.
  • Many APT groups, including Lazarus, disseminate malicious Microsoft Office files loaded with macros which would execute malicious codes on the system memory using LOLBins on Windows or macOS running systems. 
  • In 2017, the infamous Equifax breach was executed via a fileless attack using a command injection vulnerability (CVE-2017-5638) in Apache Struts. 
  • Poshspy backdoor malware manipulated Windows WMI processes to retrieve persistence in the same year and used PowerShell to deliver the payload on system RAM. The LOLBin file also helped the perpetrators create backdoors on the network.
  • Another notorious fileless trojan Astaroth abused WMI commands to download and install malware without raising any alert. 
  • Notorious cyberattacks such as Emotet, Trickbot, and Ryuk ransomware, APT attack Operation Cobalt Kitty, Rammit Banking Trojan, Fallout Exploit Kit, and many others abused PowerShell, a task automation and configuration management framework of Microsoft Windows. 
  • Another banking trojan, Ursnif aka Gozi, exploits the .NET framework and malicious Microsoft VBA macros to leverage malware.  
  • Notorious ransomware Sodinokibi aka REvil and Gandcrab, manipulated reflective DLL loading technique to load dynamic libraries without using Windows API. 
  • Gandcrab also manipulates a multi-stage infection chain through VBA codes, WMI objects, and JavaScript. 

Read More: A Guide To Banking Trojans, Malware Loaders, And How To Get Rid Of Them

Challenges in detecting Fileless Malware and mitigation techniques

Detecting fileless malware is challenging for any enterprise since the attacker tends to abuse system and network services. Moreover, the concept of attacking without uploading malware payloads on the system disks also lets them evade signature-based detection technologies. Furthermore, the attackers also offer a helping hand to their fellow adversaries by sharing the malware topologies as a service to further the menace. 

Here is a set of guidelines you should embrace to stay safe from the onslaught of such attacks-

  • Enterprises should move beyond signature-based detection methods and observe the activities of all the system utilities. 
  • They should appoint cybersecurity authorities such as K7 Security to analyze all the oncoming threats and take necessary measures to minimize the damage. 
  • Large enterprises should also install honeypots on the network to observe the prevalent attacks and analyze the methodologies and intention of the threat actor to ensure that the rest of the system is prepared to withstand such attacks.
  • Implementing a machine-learning algorithm to detect possible threats could highly automate the process and decrease the frequency of false-positive appearances. 
  • To avoid such attacks, an enterprise should implement a multi-layered defense system such as K7 Endpoint Security or K7 Enterprise Security to mitigate all the risks as soon as they appear.

Visit K7computing.com to download a product demo, or connect with us at <1800 419 0077> for further details. 



Like what you're reading? Subscribe to our top stories.

2023 K7 Computing. All Rights Reserved.