Fileless malware attacks, or incidents where the malicious payload doesn’t touch the disk, but is executed directly in memory instead, are on the rise, Microsoft says.
Attacks that leverage fileless techniques are not new, but were recently adopted by a broader range of malware. A couple of years ago, the Kovter Trojan was well known for the use of this infection method, but various threat actors, ransomware, and even crypto-mining malware adopted it since.
Last November, a Barkly report suggested that fileless assaults were ten times more likely to succeed compared to other infection methods.
Now, Microsoft says that the move to fileless techniques was only the next logical step in the evolution of malware, especially with antivirus solutions becoming increasingly efficient at detecting malicious executables.
“Real-time protection gives visibility on each new file that lands on the disk. Furthermore, file activity leaves a trail of evidence that can be retrieved during forensic analysis,” Andrea Lelli of the Windows Defender Research team at Microsoft notes in a blog post.
“Removing the need for files is the next progression of attacker techniques,” Lelli says.
The result of this is an increase in attacks that use malware with fileless techniques, where the executable is never dropped on the disk. The approach not only removes the need of relying on physical files, but also improves stealth and persistence.
For attackers, this also means the discovery of new techniques for executing the code, which some solved by infecting legitimate components and achieving execution in these components’ environment. Referred to as “living off the land”, the technique usually abuses tools that are already available on the platform, such as mshta.exe.
As Lelli points out, however, there is no generally accepted definition of a fileless attack, and even malware families that do rely on files to operate are included. Thus, some parts of the attack might be fileless, while others would still rely on the filesystem.
Overall, Microsoft groups fileless threats into different categories, based on entry point (execution/injection, exploit, hardware), the form of entry point (file, script, etc.), and the host of the infection (Flash, Java, documents), which results in three big types of fileless threats.
The malware can be completely fileless (performing no file activity), writes no files to disk but still uses some files indirectly, or requires the use of files to achieve fileless persistence.
While file-based inspection is ineffective against fileless malware, behavioural analytics and other technologies should be efficient in detecting such attacks.
Microsoft themselves integrated their Windows Defender Advanced Threat Protection (ATP) with capabilities such as behaviour monitoring, memory scanning, and boot sector protection, to detect and terminate threat activity at runtime.
Furthermore, Windows Defender ATP integrates with Antimalware Scan Interface (AMSI), “an open framework that applications can use to request antivirus scans of any data,” to defend against fileless malware and other threats, Microsoft says.
When it comes to fighting fileless attacks that live off the land, behaviour monitoring is particularly useful, Lelli says. In fact, Microsoft has been long touting Windows 10’s ability to detect in-memory attack methods that abuse legitimate processes.
Memory scanning is also useful when it comes to detecting the presence of malicious code in the memory of a running process. Even malware that runs without the use of a physical file (such as the GandCrab ransomware) needs to reside in memory to operate, and memory scanning can detect it there, Lelli points out.
Another defense that’s effective against fileless attacks is boot sector protection. In Windows 10, controlled folder access prevents write operations to the boot sector, thus helping Windows Defender ATP stop attack vectors used by Petya, BadRabbit, and bootkits.
“As antivirus solutions become better and better at pinpointing malicious files, the natural evolution of malware is to shift to attack chains that use as few files as possible. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, too,” Microsoft concludes.
Related: Watch Out for Fileless Ransomware