Why Is Fileless Malware So Dangerous?

Why Is Fileless Malware So Dangerous?

One of the fastest-growing types of malware doesn’t contain any malware as we know it at all. The fileless attack is designed to get around traditional antivirus and anti-malware applications because it doesn’t contain the files those programs are typically looking for.

Instead, it’s a type of malware that sends dangerous code to a legitimate system process, thus leaving no typical trace like ransomware, spyware, and viruses do.

During the first half of 2019, fileless attacks skyrocketed by 265%, and the popularity of these types of attacks are already predicted to continue growing in 2021.

Fileless attacks are particularly difficult to defend against because there is no malware file to detect. Additionally, their footprints are often in memory, which can be cleared as soon as a process is ended. 

However, theses types of attacks can be stopped with the right network security safeguards in place.

How Does Fileless Malware Work?

It’s important for Sudbury area businesses to understand the threat that fileless attacks pose, so they can ensure their cybersecurity strategy addresses them.

There are a few different styles of attacks that are under the umbrella of the term “fileless malware.” While they may differ slightly in execution, they are all designed to allow a hacker into a system to steal information, gain system access, and perpetrate other types of insider attacks.

62% of fileless malware is designed to compromise customer data.

Here are the three main types of fileless attacks.

Executable-less Attacks

This is the most common form of fileless malware. It involves a document containing a script which is written to a disk and then executes. These scripts are dangerous commands to a common computer system, such as the Windows PowerShell or Microsoft Windows Management Instrumentation (WMI).

These scripts can get in through several methods without employees even realizing it, including through a browser by visiting a malicious website or hidden inside a common document, such as MS Word that arrives via email.

A PowerShell command can be used locate files and other information on a device and send it back to the hacker, among other things.

Dual-use Attacks

This type of fileless attack exploits legitimate files that are either common to the organization itself, such as an employee directory spreadsheet, or that are widely used administrative documents and tools. 

People are much more likely to feel safe opening files they see every day in their work, so hackers use these to hide script commands for a fileless attack. These attacks can be written to disk or used in memory.

Code Injection Attacks

This involves an injection of code into a system by a hacker, and it’s usually loaded dynamically into the memory of a process to make it hard to detect because that memory can be cleared once an application is closed.

For example, when you’re working in an application like MS Word, you have the ability to undo your last several actions. This is possible because of process memory that the application uses while open.

When you close the app, the memory is cleared, and when you reopen that document, you no longer are able to undo the last taken action.

Steps for Defending Against Fileless Attacks

Application Whitelisting

Application whitelisting involves using an advanced threat protection (ATP) application that allows you to designate which programs can execute commands in a system.

This helps keeps out certain types of fileless attacks by blocking any non-approved application from running scripts.

Application Ringfencing

Ringfencing is often done in conjunction with application whitelisting. It’s when you restrict how programs like Windows PowerShell can interact with other system programs.

By restricting the commands that can be executed by legitimate programs and implementing read-only policies for script commands, you can block malicious fileless malware from running.

Scan Portable Executable (PE) Files & Scripts

Without getting too much in the weeds technically, a Portable Executable (PE) is a file format that’s used within Windows to send executable commands within the OS. PE files are laid out in a certain format, so they contain all the components necessary for a system to recognize a command and execute it.

Hackers can write malicious PE files to execute insider attacks on systems. This is a delivery method for fileless malware.

By using a system that scams these types of files, which aren’t usually picked up by standard anti-malware programs, you can detect malicious PE files and block them from running within your system.

Keep All Computer Operating Systems & Software Updated

A standard best practice of cybersecurity is to keep all computers updated in a timely manner. This includes updating:

  • Operating systems
  • Software applications
  • Firmware

This helps prevent fileless attacks from taking advantage of vulnerabilities in code that has been patched by the developer. A significant number of data breaches happen simply because a computer update wasn’t applied that held a fix for a critical code weakness.

Protect Your Network from Fileless Attacks with Help from Haxxess

We can help your Northern Ontario business reduce your risk and protect your systems from the growing threat of fileless malware attacks.

Contact us today to schedule a free consultation! Call 705-222-8324 or reach out online.

stay in touch

Subscribe to our newsletter and we'll keep you informed about latest IT news.