Your Worst Nightmare: Fileless Malware
By now, everyone pretty much knows what malware is and how it works: Victims receive an email telling them that if they just open the attached PDF, their entire life will morph into heaven on earth. Or they get an email telling them that they need to click on a link to avoid blowing up the universe, or some such catastrophe. In any event, the malware can be stymied by simply not opening the attachment, clicking on the link or whatever. It’s pretty simple. Just educate the users not to open attachments from unfamiliar email senders, links from what appear to be legitimate e-commerce sites and so on. Bad actors defeated. World safe again.
Unfortunately, the bad guys are hip to this, which is why a new type of cyberattack is taking hold: fileless malware. Unlike the malware described in the opening paragraph, fileless malware does not depend on the victim downloading any files. That’s because it doesn’t require any files. It invades systems in two ways:
- The malware’s code resides in RAM or in the system registry.
- The malware infects its host through scripts.
Conventional Delivery Methods and Unconventional Purposes
Even though files are not used to deliver the malicious code, phishing schemes can still be used to allow the code to infiltrate systems. For example, malicious code can be delivered in the form of a Word document, which, when opened, releases the malware. Of further concern is that fileless malware often uses anti-forensics techniques to erase its tracks, thus making it completely invisible.
The purpose of fileless malware is most often similar to that of conventional attacks: get access to credentialed data and personal information. However, because of its stealthy and persistent nature, there is some suspicion that fileless malware will be used to support espionage activities and to set the stage for future acts of sabotage.
Can Fileless Malware Be Stopped?
The problem is complex. To begin with, organizations have to realize that processes that run scripts, like Microsoft PowerShell, are just as capable of delivering malware as processes that execute them, like opening a PDF. Secondly, companies must make sure that their employees are educated about the dangers of opening ANY attachments that aren’t from known senders, and third, every patch issued by any vendor must be installed immediately. This includes, of course, the antivirus software on the system, as well as the operating system itself. Simple steps like these can prevent a lot of future pain.
Pick the Right Security Software
It’s essential to realize that the threat is getting more common and the attackers more creative. Whether it’s through email spam with attachments, PowerShell or the Windows Registry database, fileless malware may very well try to find a home in the systems environment. The best defense against any type of malware attack is proper education and a multi-layered security software. When evaluating different security solutions to hinder the threat of fileless malware, there are several things to consider, including, but not limited, to:
- What’s the vendor’s level of sophistication with regard to understanding the threat?
- Will the vendor provide access to current users?
- Is the software user reviewed? This can reveal things like ease of implementation and customer service.
- Does it emphasize endpoint protection?
- What’s the upgrade history? Once a year won’t hack it (no pun intended) in this environment.
- Does the vendor offer a cyberwarranty? Not many do, and this can tell a lot (mainly because it requires an insurance underwriter).
The threat vectors are ever-increasing, but due diligence in employee education, and choosing the right security solution still offers the best chance of not becoming the next victim of the new bad kid on the block, fileless malware.