Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Fileless Malware Will Beat Your EDR

Posted by Oren Dvoskin on March 23, 2023
Find me on:

Fileless malware attacks are a malicious code execution technique that works completely within process memory. In a fileless attack, no files are dropped onto a hard drive. With no artifacts on the hard drive to detect, these attacks easily evade detection-based cybersecurity solutions like next generation anti-virus (NGAV), endpoint protection platforms (EPP), and endpoint detection and response (EDR, XDR, MDR).  

Gartner ReportAlso known as in-memory or runtime attacks, fileless malware attacks have existed for over a decade. Initially they posed a limited threat as they were rare and could be removed upon system reboot. This changed in 2014 with Poweliks, a click-fraud Trojan that was the first fileless malware to demonstrate persistence functionality. Today, fileless techniques are part of every cybercrime group’s arsenal and present one of the most dangerous threats to every organization.  

Script-based malware is also considered a type of fileless malware as it does not drop any portable executable files (PE) on disk. It’s not 100 percent fileless however, since it does drop script-based interpreted files such as JavaScript, HTA, VBA, PowerShell, etc. It's executed using legitimate Windows processes which make it exceedingly difficult to detect.  

Example of a fileless attack kill chain
Execution chain of a fileless malware, source: Trellix 

 

Why Can’t EDRs Detect Fileless Malware? 

Detection-based security solutions like EDRs use several techniques to find and detect malicious activity.  

Static analysis is used to examine files and software without actually executing them. When it works, it enables faster analysis and earlier detection without risking activating malicious code and damaging systems. Static analysis techniques usually rely on examining files, code, or binaries to identify potential threats. Since fileless malware doesn't use traditional files, there is no static content to analyze, making it extremely difficult to detect the presence of malware. 

Dynamic analysis observes the behavior of software or files during execution, which generally makes it more effective at detecting fileless malware than static analysis. However, dynamic analysis still has challenges in detecting fileless malware. Dynamic analysis is resource intensive, so it's often executed within controlled environments such as sandboxes or virtual machines. This leads to sandbox-aware malware and misleading classification of threats as legitimate operations. Furthermore, dynamic analysis is designed to monitor behavior during execution. Fileless malware working directly in memory will still evade detection if an analysis tool does not specifically monitor memory-related activities, or if malware employs sophisticated techniques to hide its presence in memory. Attackers often leverage legitimate tools and processes. This makes it difficult for dynamic analysis to differentiate between legitimate and malicious activities carried out by these tools. 

The liberal application of allowlisting (previously known as whitelisting) solutions does help to limit execution of legitimate tools such as interpreters by groups of users. But at the cost of limiting an organization’s operational flexibility. Moreover, we see a clear pattern of attackers inventing new patterns to bypass allowlisting solutions on a weekly basis. So why does script execution detection often fall under the category of challenges in fileless malware detection? 

  • Should we scan .txt files, .sct files, .xml files? These can all potentially be malicious script files, so where do we stop? 
  • While we have a clear understanding of executable software and its standard loading behavior, each interpreted language has its own structure and behavior. Should we build a parser/interpreter for each type of interpreted file? Anyone can decide on a new interpreted language, so where do we stop? 
  • Should we block any suspicious string, even a comment in a report? 

This is why some security vendors limit static scanning to a specific type of interpreted file and dynamic detection to a specific set of software interpreters. Even then, they struggle to scan those files because of easily available obfuscation options. 

Fileless malware scanning

Types Of Fileless Techniques

Some popular techniques implemented by fileless—living-off-the-land malware include: 

Windows registry manipulation: Code is usually written and executed directly from the registry by a regular Windows process. This helps to achieve goals like persistence, bypassing allowlisting, and static analysis evasion. 

Memory code injection: Allows malware to exist solely within process memory while processes are running on the system. Malware distributes and re-injects itself into legitimate processes critical to normal Windows operational activity, so it can’t be allowlisted or even scanned. Security vendors need a proper justification to kill, block, or quarantine such a process, making this extremely attractive for hackers. Code injection techniques include remote thread injection, APC, atom bombing, process hollowing, local shellcode injection, reflective loading, and many others. 

Script-based: As mentioned, this is not a 100 percent fileless technique, but it creates similar issues for detection solutions and is a preferred method for maintaining stealth. 

Stealth in-memory attack 

Packers 

Packing is a legitimate way to compress an executable. Essentially, it’s in-memory self-modifying code that alters the memory state of a process. But this technique is used by many malware families for signature re-creation and, more importantly, dynamic detection evasion. Packing can also be used as a code injection method by rewriting an existing executable and recreating its code after decryption and remapping the new functionality.  

Packing is used by both file-based and fileless malware. Nevertheless, the detonation/unpacking process is a fileless process. Malware often hides its real API and functionality by encrypting the functions and execution of a position-independent code (shellcode/loader/decryptor). This code doesn’t use much of the declared API and usually performs reflective loading of the next stage’s malicious library. We call this technique fileless because it runs malicious code created purely in memory without writing to the disk. A lot of known malware heavily uses packing and local code injection techniques to evade static analysis, including Emotet, Revil, Qakbot, IceID, Vidar, and others.

Research conducted by WatchGuard (2021) showed the rate of fileless attacks grew by over 900 percent. Last year, fileless attack techniques like process injection and PowerShell exploitation were among the most commonly reported MITRE ATT&CK techniques.  

The rise of fileless malware attack chains is something security teams need to take extremely seriously. Here's why. 

Undetectable Threats Extend Dwell Times 

All types of fileless malware attacks share one thing in common: they are extremely hard to detect.  

As fileless attacks become more popular among cybercriminals, the time it takes security teams to detect compromise has soared. The average dwell time for threats increased by 36 percent between 2020 and 2021. The median dwell time for attacks that lead to ransomware deployment or data exfiltration is now around 34 days.  

Linux virus protection

Many fileless threats can linger even longer. Morphisec's incident response team has found fileless malware persisting in remote endpoints waiting for months for an opportunity for lateral movement before being detected. 

Fileless Malware Attacks Do More Damage 

According to a study by the Ponemon Institute, fileless attacks are ten times more likely to succeed than other attacks. Since they are more likely to succeed, they’re more potentially devastating since attackers have an opportunity to compromise greater parts of infected systems. 

The 2021 attack on the Irish Health Service Executive (HSE) is a perfect example. On March 18, 2021, the Conti ransomware group used a phishing email with a malicious Excel macro attached to penetrate an endpoint in the HSE network. Then, using a compromised version of the pen-testing tool Cobalt Strike, Conti operatives moved laterally through the HSE's network before deploying ransomware on May 14—eight weeks later.  

This resulted in Conti exfiltrating 700GB of unencrypted data, including protected health information (PHI), and led to ransomware infecting tens of thousands of endpoints and servers. Conti shut down an entire health service IT network serving over five million people for a week, creating massive disruption. The HSE only resolved the issue after Conti released a decryption key.  

Linux ransomware encryption key

The ransomware group used a similar attack method to shut down the entire Costa Rican government and hold it to ransom.  

Fileless backdoors like Cobalt Strike are increasingly accessible. And cybercriminals are using these kinds of nation-state crippling tactics in attacks against many other targets, including SMBs.  

How to Reduce Fileless Malware Attack Risk 

Fileless malware attacks are mostly undetectable. They’re carefully designed to bypass detection-and-response cybersecurity tools like NGAV, EPP, and EDR/XDR/MDR.

Get a Demo of MorphisecAs fileless malware attacks continue to increase, organizations relying on detection-based tools are much more exposed than they may have thought. For organizations to reduce this risk requires making their network environments inhospitable to fileless threats. 

For instance, it's important to segment networks and implement strict access controls to create barriers to the permissionless data flows within networks that fileless threats exploit. I.e., implement a zero-trust strategy. It also means deploying preventive technology like Automated Moving Target Defense (AMTD) that shuts down the attack pathways threats use at the application level.  

AMTD is an innovative technology that stops threats without needing to detect them. It randomly morphs the runtime memory environment to create an unpredictable attack surface, and leaves decoy traps where targets were. Trusted applications are updated with the changed memory environment, while any code that tries to execute against a decoy triggers that process to be terminated and trapped for forensic analysis. Because of its deterministic, preventive approach, AMTD is one of the only technologies that reliably stops fileless attacks and other advanced threats like supply chain attacks and that prevent ransomware

Gartner is calling AMTD “the future of cyber” and says “Automated moving target defense is an emerging game-changing technology for improving cyber defense. By adding it to their portfolio, product leaders can differentiate their solution offerings and significantly enhance the effectiveness and value of other existing security solutions.” 

To learn more about how Moving Target Defense defeats fileless malware attacks, read the free white paper: Zero Trust + Moving Target Defense—The Ultimate Ransomware Strategy. 

Zero Trust and Moving Target Defense White Paper