Fileless malware isn’t new, but it’s becoming an increasingly prevalent threat.

February 11, 2019

Fileless malware isn’t new, but it’s becoming an increasingly prevalent threat. In fact, it was reported that 77 percent of successful cyberattacks against enterprises used fileless techniques. They aren’t as visible as traditional malware, employ a variety of techniques to stay persistent, and can adversely affect the integrity of the organization’s business process and the infrastructures that run them. Here’s a closer look at how fileless threats work and what can be done to thwart them:

Document exploits

Fileless threats often arrive as malicious macro codes hidden in JavaScript or VisualBasic (VBA) scripts embedded within Office documents, PDFs, archives, or seemingly benign files. Once opened, these macros will run the scripts and often abuse legitimate tools like PowerShell to launch, download, and execute more code, scripts, or payloads. These scripts are typically encoded and obfuscated, making it challenging for monitoring software to detect obvious keywords that trigger their execution. They can either abuse PowerShell to retrieve and run an executable on the system’s local storage/disk or run the code directly in memory.

A typical infection chain of a fileless threat that uses document exploits

Users can reduce their exposure to these threats by practicing security hygiene and fostering a more cybersecurity-aware workplace.This includes being more cautious of unsolicited emails or files, especially those that prompt users to enable macros or scripts.

In-memory exploits

Fileless threats are called “fileless” because they load and execute themselves directly from memory. This makes antivirus detection more difficult than it is for malware and malicious executables that write to the system’s disks. Most use malicious code injection, often to a legitimate process to avoid detection. They also abuse legitimate system administration tools and application programming interfaces (APIs) such as PowerShell, PsExec, and Windows Management Instrumentation (WMI) to take over a legitimate process’ memory and privileges.

Reflective DLL injection is the most prevalent technique used by in-memory exploits.This involves malicious code loading a dynamic-link library (DLL) into a host process, thus eliminating the need for the DLL to be written to the disk. Fileless threats can also employ techniques like process hollowing to inject their code — or specifically, swap the original/legitimate process’ code with their own before resuming its execution.

There’s no bulletproof way to detect and prevent attacks that use in-memory exploits. Defense in depth — or a multilayered approach to security — is important. Keep the system and its applications updated; secure the use of system administration tools; and deploy additional layers of security such as behavior monitoring, sandboxing, firewalls, and intrusion detection and prevention systems.

More importantly, proactively monitor the endpoints and networks. Fileless threats may not be as visible as other malware, but they can also leave telltale signs that IT and security teams can watch out for, such as suspicious network traffic (for Command and Control communication and data exfiltration).

It starts with a script

Fileless threats rely on scripts whose shellcodes or binaries are obfuscated, compiled, or embedded so they don’t create files on the disk. This lets them interact or affect the system’s operating system or applications while making it difficult for traditional AV software to detect. They are versatile, they can be run from a file or directly on the command line via PowerShell, WScript, JavaScript, VBScript, mshta, etc. This flexibility makes them more evasive.

PowerShell is often the process of choice because of its flexibility and accessibility. It’s a built-in feature on many Windows operating systems, and its open-source iteration, PowerShell Core, makes it multiplatform. PowerShell can access APIs that execute important system and application functions as well as OS objects. As such, It can be abused to filelessly retrieve and deliver payloads or execute other malicious commands. There are also malicious scripts designed to exploit vulnerabilities or design flaws in applications like Microsoft Office.

An infection chain of a script-based attack that abuses PowerShell

Users and businesses can reduce their exposure to script-based attacks by adhering to the principle of least privilege. Restrict, harden, and secure the use of system administration tools. PowerShell itself has security mechanisms that can help further analyze anomalous behavior; it can also be configured to detect arguments/commands typically used by malware. Disable or delete outdated third-party plugins and components that may be used as entry points into the system.

Living off the land

Fileless threats “live off the land,” by abusing features as well as system administration tools and utilities built in into the system.  Profit and cyberespionage driven attacks also abuse command-line utilities like Microsoft Register Server (regsvr32) to load and execute malicious DLLs or install modified versions of penetration testing tools to further compromise the system.  Abusing these tools provide fileless threats with jump-off points in their attack chains rather than using compiled executables. They can misuse these tools to retrieve payloads, download or launch additional malware, steal and exfiltrate data, retain persistence, and move laterally.  These threats piggyback on legitimate tools making them difficult to detect. Some of the notably abused tools include command-line interfaces - PowerShell, Command Prompt, regsvr32, rundll32, WMIC, Bitsadmin, CertUtil, and msiexec, remote desktops, and third-party penetration testing tools like CobaltStrike and Mimikatz.

Fileless techniquesfor Maintaining persistence

Once malware gains a foothold, it tries to remain resident for as long as possible, even after a reboot. Fileless threats use a variety of techniques to establish persistence by creating load points where the payloads can be restarted. These techniques also abuse built-in Windows tools and utilities.  A common persistence mechanism is hidiing malicious code or files in the system registry, the operating system’s database storing configuration data and settings as well as file associations of applications. By placing malicious code in the registry keys,threats can be filelessly extracted, run, or executed when the system starts,or if certain files like shortcuts are clicked.

Another technique for maintaining persistence is abusing tools like Windows Task Scheduler, which enables programs and scripts to be launched at a predetermined time - scheduled tasks are created in order to trigger execution and they can be set to recur and create registry entries that automatically reinfect the system.

More recently, attackers are abusing Windows Management Instrumentation to maintain persistence. WMI is used for managing devices and systems connected to a network. In cybercriminal hands, it can be used for lateral movement, code execution, and persistence. Typically, fileless threats will use WMI’s repository to store malicious scripts that are then invoked using WMI’s own functions.

Proactively monitoring endpoints and networks helps reduce further exposure or reinfection. System administrators as well as IT and security teams can use Microsoft’s Autoruns tool to examine registry keys and spot malicious entries. WMI’s own functions — specifically WMI event queries — can be used to detect and prevent its abuse. PowerShell has similar capabilities to harden systems or detect malware-related routines.

Hal Hostetler
I am both a Certified Professional Broadcast Engineer, an IT Professional and now a published Author.

STOP your computer problems with our
Expert IT SUPPORT today!

Our Scalable Cost effective IT support means you can stop focusing on your IT issues and whats it's going to cost, and focus on growing your business instead.

Contact us

Need a quote.