More than 15 years since ‘Code Red’, fileless malware continues to present network defenders with a unique set of challenges

Security experts are once again warning against the rising threat of fileless malware.

Earlier this month, the Microsoft security team released details about an ongoing campaign that is distributing the Astaroth trojan – malware that can log keystrokes and steal sensitive information such as clipboard content and login information from various apps.

The campaign involved a widespread spear-phishing email containing a malicious LNK file.

When clicked, the malicious file uses the Windows Management Instrumentation Command-line (WMIC) to trigger a complicated chain of commands and stealthily download and deploy its malware payloads in the memory of the victim’s computer.

Like other fileless malware, Astaroth was able to evade endpoint security solutions. The security team of Windows Defender ATP (the paid version of Windows’ free antivirus tool) chanced upon the threat after observing a sudden spike in WMIC activity on client devices.

In February, security firm Cybereason discovered another Astaroth campaign that used “legitimate, built-in Windows OS processes to perform malicious activities and deliver a payload without being detected”.

In other news, Kaspersky Lab recently released details about Topinambour, a fileless malware dropper developed by Russian APT Turla, which installs a trojan malware on computers that belong to government entities.

The attackers distributed Topinambour through a .NET module embedded in popular censorship circumvention tools such as Softether VPN and psiphon3.

The dropper uses legitimate Windows shell commands to download the KopiLuwak JavaScript trojan modules from rented virtual private servers and run it in-memory.

According to Kaspersky, Turla also has a heavily obfuscated PowerShell trojan similar to KopiLuwak. The trojan can upload, download, and execute files on the infected computer.

“The more stealthy a targeted attack campaign is, the longer it goes unnoticed, the greater the potential impact of the attack,” David Emm, principal security researcher at Kaspersky Lab, told The Daily Swig.

“Fileless malware does not rely on writing files to disk and therefore the attacker leaves a much reduced footprint.

“This can pose a serious threat to organizations because fileless malware is designed to reduce the footprint of the attacker and makes them less noticeable and harder to detect compared to traditional malware.”

An evasive threat

Most antivirus tools detect malware by scanning files and looking for malware signatures.

Without storing any files on the infected computer’s hard disk, fileless malware can easily evade most endpoint security tools.

However, the weakness of memory-only malware is that they get wiped once the infected computer reboots.

To overcome this, fileless malware developers use scripting tools and batch files to create droppers that leverage “living-off-the-land” techniques, such as using legitimate operating tools to download and execute the malicious payload in-memory.

Fileless malware first became popular in 2001 with Code Red, a fileless computer worm that exploited a vulnerability in the widely used Microsoft IIS web server.

At the time, Kaspersky Lab declared: “We predict that in the very near future, such ‘fileless’ worms as Code Red will become one of the most widespread forms of malicious programs, and an anti-virus’ ineffectiveness in the face of such a threat simply invites danger.”

Since then, fileless malware has become a growing threat. Last year, SANS Institute reported that 32% of organizations had been targeted by fileless malware attacks, while McAfee Labs said PowerShell malware had increased by 432% year over year.

“Fileless malware will continue to feature in advanced attacks because it allows attackers to be more stealthy, providing them with the time necessary to identify valuable data and siphon it from the system,” Emm warned.

“While it’s unlikely to become the stock-in-trade of opportunistic cybercriminals, fileless malware will continue to feature in advanced attacks in the future.”