Story image

Exclusive: Fileless malware driving uptake of behavioural analytics

12 Nov 18

Article by LogRhythm Asia Pacific and Japan senior regional marketing director Joanne Wong

Over the past year, a new form of malware has emerged that is able to more successfully evade traditional detection and defence techniques.

As a result, it is seeing increased use by attackers in the wild, and if the amount of research being devoted to it right now is any indication, security practitioners are sufficiently worried.

Most organisations and users are across vectors that malware typically uses to spread - dodgy file attachments, infected USB drives and the like.

This malware works by storing its payload on disk as an executable file or script that is then unleashed.

Antivirus software is designed to detect the creation of these types of files and check them against signatures of known malware.

If malware is detected, the file is deleted or quarantined before it can execute and cause damage. 

However, a newer strain of malware is “fileless” - that is, it is designed to operate exclusively in computer memory.

To execute, it abuses existing software, applications and authorised protocols on a machine so it can carry out its designated malicious activity.

Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).

For example, a user could visit a compromised page, which then uses Flash to instruct PowerShell to connect to a stealth command and control server where it downloads a malicious script.

Fileless malware was first seen in the wild in April 2015.

An early example targeting local users was JS_POWMET, which hit businesses in the Asia Pacific region.

When JS_POWMET was uncovered in August last year, the researchers involved noted that the rarity of finding a completely end-to-end fileless attack.

Not only did it infect a machine without a trace, but it also left no evidence after the malicious payload had executed, making it very difficult to spot again in the future.

Traditional families of malware are also changing to execute on a fileless basis.

Microsoft researchers noted back in mid-2016 that Kovter, a type of click-fraud malware, had been updated to become “almost fileless”.

The change didn’t completely allow it to avoid detection. 

However, the trend to evolve file-based malware into fileless malware is further evidence of the increasing sophistication of cyber attacks that is making it significantly harder to stop threats from entering corporate networks and devices.

In addition to being triggered through web browsers, fileless malware is also known to exploit Microsoft Office applications and operating systems tools such as PowerShell (which is used to automate administration tasks on Windows), Visual Basic (VB) scripts and Windows Management Instrumentation (WMI).

McAfee uncovered a fileless malware campaign recently called Operation Gold Dragon that targeted the 2018 Winter Olympics, which was described as “an exemplary implementation of PowerShell malware in an attack”.

Fileless elements can also be found in other successful attacks.

Both the Petya and Wannacry ransomware outbreaks last year took advantage of “fileless techniques”, researchers have said.

Existing security strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern analysis or time stamping just won’t pick up fileless malware.

A potential weakness of fileless malware, however, is that as it works in-memory, it should only remain on the system until it is rebooted.

As a basic first step, regular system reboots are likely to deal with some fileless malware.

However, cybercriminals are now adding persistence to the malware code so that it resumes following a system restart.

Ultimately, the best approach is to use behavioural analytics, which monitor the activity of applications and services, including communications between processes, unauthorised requests to run applications, and changes to credentials or permission levels.

For example, while many of the processes involved in fileless malware entering a network via a web browser are normal in isolation, the fact they happen concurrently is less normal, meaning they can be flagged and shut down before damage is done.

CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Cisco dominates record-high Ethernet switch & router markets
While the market is flourishing, it’s tough-going as Cisco has increased its majority share of the pie.
Preparing for e-invoicing requirements
The New Zealand and Australian governments are working on a joint approach to create trans-Tasman standards to e-invoicing that’ll make it easier for businesses in both countries work with each other and across the globe
SAP provides partners with free access to their cloud platform
“Now that over 3,700 SAP partners have joined our cloud strategy, the free resources will help them accelerate application development."
Company-X celebrates ranking on Deloitte's Fast 500 Asia Pacific
Hamilton-based software firm Company-X has landed a spot on Deloitte Technology’s Fast 500 Asia Pacific 2018 ranking - for the second year in a row.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.