Fileless Threats: what you need to know

Photo by rawpixel on Unsplash

Malware has traditionally been spread in the form of files that made their way on the target machine’s storage drives. As cybersecurity evolved to deal with tangible threats, cybercriminals across the globe have developed new techniques meant to evade detection from security solutions. Enter fileless threats: snippets of code that can use legitimate resources, which are already present on workstations, to disrupt the normal functioning of the system. They normally target Windows machines and reside in a system’s memory or, if persistence is a required feature, in its registries. Since the malware doesn’t make its way onto the disk, there are no signatures that antivirus or other antimalware software can compare against a known database.

Instead of executing from a location on the disk, fileless threats inject their code into the memory of a vulnerable program or make use of whitelisted applications to issue malicious commands. Fileless attacks are only possible because of PowerShell, which is a Windows service made up of a command-line shell, an interface that can be used to access every feature of the operating system and a programming language that’s capable of generating and running scripts. It is normally used by system administrators to view the resources of a system and to schedule commands to run in the background. It was designed to allow computer operators to easily manage the configuration of their systems and automate a large part of their work.

However, its potent capabilities are exactly what hackers need to take control of a machine. According to research carried out by the Ponemon Institute, 77% of all detected attacks that took place in 2017 were fileless. This type of threat is used to steal information or carry out further attacks, as it can deliver ransomware and spyware. It has become so popular because it is almost impossible to detect; PowerShell programs cannot be queried or searched as they run in the system’s memory. Another favorite of hackers is the Windows Management Instrumentation (or WMI) service, which is made up of a powerful set of tools that can be used to manage Windows systems, including registries, both locally and remotely.

Despite its name, a fileless infection cannot be carried out without a file. The difference between normal malware and memory-only malware lies in where the file is stored. While traditional malware somehow downloads the payload onto the victim’s logical drive, the fileless variant uses some resource on the mark’s computer to execute instructions hosted on another machine. Consider DNSMessenger, which Talos intelligence blogged about in March of 2017. The infection was carried out through an infected Word document that reached victims via e-mail. Victims were encouraged to enable macros when reading the document; once enabled, a macro would execute and run a PowerShell script that instructed WMI to contact specific Internet domains. These domains would host .txt files, which contained instructions for the infected machines and acted as command and control servers.

Bodiless malware dates back to the beginning of the twenty-first century; the first known instance of a fileless attack is the Code Red worm, which exploited a vulnerability in Microsoft IIS web servers to execute code that would result in defaced websites and further spreading of the worm. Two years later, in 2013, another memory-only threat that exploited a bug in Microsoft SQL servers emerged. SQL Slammer would send out a packet no larger than 376 bytes which prompted a server to aggressively scan the network for other vulnerable servers. While the effects of Code Red were negligible and only amounted to a few defaced websites, the aggressive scanning perpetrated by SQL Slammer managed to bring down web pages and slow down the entire Internet.

To understand how a browser can be vulnerable to bodiless malware, it is helpful to remember that HTML is a language that is only capable of formatting. Since web developers wanted to be able to do more with their web pages, several scripting languages came along. These allow programs to be executed in web browsers, even if said programs instruct the browser to open PowerShell and execute a series of commands. Each of these commands executes in memory, without needing to be stored on disk. Once the PowerShell script has finished running, the scripting language can terminate the process, making it seem as nothing had happened. Other common vectors are the Flash video player and macros in Microsoft Office tools.

Since bodiless malware resides in memory, and RAM only stores information if electricity is passing through it, most fileless threats can be neutralized by simply turning off your computer. This does not mean that the host cannot be infected again once it goes back online. Furthermore, some ingenious hackers have developed persistence mechanisms that allow for bodiless malware to be reloaded into memory once the system is rebooted, even if the host is disconnected from the Internet. This can be achieved by writing instructions for PowerShell into the Windows Registry, a database that sits on every Windows computer and contains information about the configuration of every program installed on the operating system. Any setting can be modified in the Registry, including whether programs automatically start at the beginning of a Windows session.

Criptocurrency mining malware is a type of threat that can highly benefit from both the stealthy aspect of bodiless malware and its freshly discovered persistence, since it needs to stay on a system for as long as possible, while also avoiding detection. Fileless-DASKUS is an example of such malware. It arrives in the form of a PowerShell script, which is used to create encrypted Registry entries. Since antimalware software does not normally monitor Windows Registry, it has little chance of catching on to this. Once the script finishes writing the encrypted text, it sets up a service that’s capable of decoding the entries and loading the code contained within into memory, where it will generate cryptocurrency for the attacker. If the victim turns his computer off, the process is simply repeated during the next Windows start-up process. Other persistent bodiless malware, such as Kovter, use encrypted artefacts and an JavaScript to obtain persistence.

While fileless threats are harder to detect and prevent than their traditional counterparts, companies and individuals can take steps to minimize their exposure:

  • Using the latest updates – bodiless malware is known to exploit weakness in whitelisted applications, often piggybacking on that application’s reputation to do carry out its malicious programming
  • Implementing PowerShell best practices – PowerShell can keep logs that monitor how it has been used. System administrators should be on the lookout for commands that threat actors use to mask their activity. The character ‘^’ is among those, along command arguments such as ‘-NonInteractive’, ‘-NonI’, ‘-WindowStyle Hidden’, ‘-ExecutionPolicy Bypass’, ‘-EncodedCommand’
  • Disable unnecessary components – since bodily malware uses weaknesses in third party software, such as browser addons, disabling unneeded applications reduces your attack surface
  • Never stop looking – use an intrusion detection system to catch fileless threats as they communicate with C&C servers. One that monitors incoming and outgoing network traffic, as well as unusual ways of using system resources will be especially helpful.
Cyberdeception. Powered by Hardware.