Also known as memory-only malware, non-malware, and zero footprint attacks, fileless attacks have risen significantly over the past five years, comprising over 91% of current ransomware samples, and being utilized in over 50% of successful data breaches. It is, however, important to note that fileless attacks didn’t just show up in 2018 but have slowly evolved over the past few decades.
For the next 20 years, fileless attacks were increasingly used throughout Microsoft environments. In 2003, SQL Slammer compromised Microsoft SQL Server instances, infecting 75,000 within ten minutes. From 2011 to 2016, the Lurk banking trojan quietly exploited a Java vulnerability to steal millions. And Stuxnet, perhaps the best known or all fileless attacks, leveraged multiple techniques simultaneously, allowing it to evade detection for years.
In 2014, fileless techniques began to rely more on commands, scripting, and existing programs. One of the earliest examples is the Poweliks trojan which installed itself in a Windows registry key as the value containing the malicious script. With the script embedded in the registry, the Poweliks was then able to obtain persistence through a legitimate program used by the Windows operating system.
In 2015, the malware platform Duqu 2.0 was used as a toolbox for cyber-espionage, with fileless features that streamlined lateral movement, data exfiltration and recognition of the host and its immediate environment. The antivirus company Kaspersky Labs was one of Duqu’s more prominent victims and took several months to notice that their systems had been infected.
By 2016, fileless malware had evolved into the current, multi-stage approach. Specifically, attackers realized the benefit of using macros to execute other system programs, such as PowerShell, in the background. This fooled defenders into thinking a trusted program was executing as intended but, in reality, malicious code was being downloaded and executed within PowerShell memory. PowerSniff, for example, hid within seemly innocuous Word documents.) This blending of file-based and fileless attack components was a portent of things to come.
What Fileless Attacks Look Like
Fileless attacks often leverage existing, benign programs for malicious activity. Often referred to as living off the land (LOL), this technique makes it extremely difficult for defenders to tell the difference between normal and malicious behavior. One of most widely utilized fileless attack tools is PowerShell which is generally used by system administrators to perform routine tasks, but can also be used by attackers for evasion and persistence.
Other popular tools used to establish remote command and control are PowerSploit, Cobalt Strike, and Sliver. With these, attackers take remote control of the victim’s machine in an attempt to establish persistence on reboot. This is often based on a known vulnerability, aimed at gaining privileged access to the victim’s operating system.
A typical fileless attack scenario consists of three stages. First, attackers gain initial access. This is usually achieved through phishing and spear phishing campaigns, but can also leverage remote code execution vulnerabilities within server software that are prone to buffer overflows. The second step is to gain persistent access, even in the event of a reboot. During this stage, registry keys and scheduled tasks are used to execute attack code on startup.
The most convenient aspect for the attacker is that the actual malware is not stored on the victim’s machine. This means that there is no file for security solutions to scan. Also, that attackers can update their malware in real time on their own server infrastructure. Even without a file, however, the payload URL is still a tell for defenders, so most attackers will continuously change their URL to prevent detection. The final step depends on the initial aims of the attacker: exfiltrating/encrypting data or establishing a command and control presence.
Another growing trend is the hijacking, injection, or replacement of a legitimate program. In addition to PowerShell and bash interpreters, LOL applications frequently found on Windows include the utilities certutil.exe, mavinject.exe, cmdl.exe, msixec and WMI (Windows Management Interface). These legitimate programs increase the efficiency of the attack tenfold as some of them include native functions such as downloading files or connecting to a remote machine. This makes it very difficult to detect whether their use is legitimate or malicious. In some cases, these utilities are even found on security solution whitelists, making them all the more commonly used to run malicious third-party LOL-scripts.
Fileless Attack Trend Prediction
Over the next five to ten years, fileless malware will increase significantly in both nation state-sponsored and criminal cyberattacks. In 2022 alone, fileless attacks increased by 1400% and, due to their evasive characteristics, will continue to feature more and more prominently for years to come.
Further, the use of fileless techniques will dramatically increase the number of breached credentials and direct access being sold online, with Access-as-a-Service schemes becoming more popular and profitable. The number of “zero day” exploits will also continue to grow while defenders scramble to keep pace. As obfuscation and encryption techniques allow the creation of unlimited exploit variants, it is imperative that security solutions widen their focus from attacker tactics, techniques and procedures (TTPs) to include individual malware signatures.
How Arms Cyber can help:
Fileless attacks are dangerous because they give cyber criminals everything they need to evade traditional defenses. It doesn’t matter how good an NGAV or EDR tool is if it can be completely circumvented or disabled. To combat this, Arms Cyber has built a cutting-edge Endpoint Protection Platform (EPP) solution, shifting from a reactive to a proactive approach for reliably detecting and stopping fileless attacks. We leverage a combination of runtime Moving Target Defenses (MTD), deception, command and behavior analysis, and anti-detonation defenses to recognize and mitigate fileless exploits based on their core requirements, earlier and with fewer false positives than monitoring solutions. By preventing the fileless disablement of current cyber solutions, and the in-memory manipulation and execution of modern malware, organizations can rest easy knowing that all of their cyber investments are operating effectively without the risk of attacker evasion.
