The fileless malware menace is growing

Hackers of various stripes are increasingly making use of fileless malware as a way of avoiding detection.

Fileless malware exists exclusively in computer memory. By avoiding writing anything to disk, malicious code attempts to skirt file-based whitelisting and signature detection.

Attacks of this type leave few, if any, artifacts for subsequent forensic examination.

The downside, from the point of view of hackers, is that malicious code would ordinarily get flushed from memory the next time an infected system is rebooted.

This limitation can be overcome by the planting registry entries so that further malicious scripts are downloaded and run when a compromised machine is restarted.

More than half (52%) of all attacks seen in 2017 were non-malware (fileless) attacks – leveraging native files like PowerShell or Windows Management Instrumentation (WMI) tools to launch an exploit, according to anti-malware firm Carbon Black. The trend began in 2016 before accelerating last year.

Kaspersky Lab last year warned that fileless malware had hit 140 enterprise networks worldwide. Telecoms firms and government agencies were among the targets.

What started off as a threat confined to advanced APT-style attacks has gone mainstream over recent months. A recent report by the SANS Institute found that a third (32 per cent) of organisations had seen fileless attacks involving methods such as privilege escalation, admin credential theft, PowerShell script attacks, and lateral movement.

McAfee Labs reports that PowerShell malware more than tripled (growing by 267%) in Q4, and by 432% year over year, as the approach increased in popularity among cybercriminals.

Attackers sought to use PowerShell within Microsoft Office files to execute the first stage of attacks, McAfee reports.

In December, Operation Gold Dragon, a filleless malware campaign targeting the 2018 Winter Olympics in South Korea, was uncovered.

Filetesss malware has been pushed downmarket to the point it has featured in recent cryptocurrency mining scams. One such threat, WannaMine, spreads (in part) using the EternalBlue exploit popularized by WannaCry.

The fileless malware abuses Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism.

WannaMine also uses credentials acquired through popular hacking tool Mimikatz in its attempt to spread laterally across other PCs on the same network as an already compromised machine.

An example of a malicious PowerShell script been used to spread fillers malware is included in a blog post by the SANS Institute’s Internet Storm Centre here.