Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Fileless Malware Attacks on the Rise, Microsoft Says

Fileless malware attacks, or incidents where the malicious payload doesn’t touch the disk, but is executed directly in memory instead, are on the rise, Microsoft says.

Fileless malware attacks, or incidents where the malicious payload doesn’t touch the disk, but is executed directly in memory instead, are on the rise, Microsoft says.

Attacks that leverage fileless techniques are not new, but were recently adopted by a broader range of malware. A couple of years ago, the Kovter Trojan was well known for the use of this infection method, but various threat actors, ransomware, and even crypto-mining malware adopted it since.

Last November, a Barkly report suggested that fileless assaults were ten times more likely to succeed compared to other infection methods.

Now, Microsoft says that the move to fileless techniques was only the next logical step in the evolution of malware, especially with antivirus solutions becoming increasingly efficient at detecting malicious executables.

“Real-time protection gives visibility on each new file that lands on the disk. Furthermore, file activity leaves a trail of evidence that can be retrieved during forensic analysis,” Andrea Lelli of the Windows Defender Research team at Microsoft notes in a blog post.

“Removing the need for files is the next progression of attacker techniques,” Lelli says.

The result of this is an increase in attacks that use malware with fileless techniques, where the executable is never dropped on the disk. The approach not only removes the need of relying on physical files, but also improves stealth and persistence.

For attackers, this also means the discovery of new techniques for executing the code, which some solved by infecting legitimate components and achieving execution in these components’ environment. Referred to as “living off the land”, the technique usually abuses tools that are already available on the platform, such as mshta.exe.

Advertisement. Scroll to continue reading.

As Lelli points out, however, there is no generally accepted definition of a fileless attack, and even malware families that do rely on files to operate are included. Thus, some parts of the attack might be fileless, while others would still rely on the filesystem.

Overall, Microsoft groups fileless threats into different categories, based on entry point (execution/injection, exploit, hardware), the form of entry point (file, script, etc.), and the host of the infection (Flash, Java, documents), which results in three big types of fileless threats.

The malware can be completely fileless (performing no file activity), writes no files to disk but still uses some files indirectly, or requires the use of files to achieve fileless persistence.

While file-based inspection is ineffective against fileless malware, behavioural analytics and other technologies should be efficient in detecting such attacks.

Microsoft themselves integrated their Windows Defender Advanced Threat Protection (ATP) with capabilities such as behaviour monitoring, memory scanning, and boot sector protection, to detect and terminate threat activity at runtime.

Furthermore, Windows Defender ATP integrates with Antimalware Scan Interface (AMSI), “an open framework that applications can use to request antivirus scans of any data,” to defend against fileless malware and other threats, Microsoft says.

When it comes to fighting fileless attacks that live off the land, behaviour monitoring is particularly useful, Lelli says. In fact, Microsoft has been long touting Windows 10’s ability to detect in-memory attack methods that abuse legitimate processes.

Memory scanning is also useful when it comes to detecting the presence of malicious code in the memory of a running process. Even malware that runs without the use of a physical file (such as the GandCrab ransomware) needs to reside in memory to operate, and memory scanning can detect it there, Lelli points out.

Another defense that’s effective against fileless attacks is boot sector protection. In Windows 10, controlled folder access prevents write operations to the boot sector, thus helping Windows Defender ATP stop attack vectors used by Petya, BadRabbit, and bootkits.

“As antivirus solutions become better and better at pinpointing malicious files, the natural evolution of malware is to shift to attack chains that use as few files as possible. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, too,” Microsoft concludes.

Related: Fileless Crypto-Mining Malware Discovered

Related: Watch Out for Fileless Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.