Combatting “Fileless” Malware

By Ed Moyle

The Nexus  |  Monday, 13 August 2018

If you are a security practitioner, you do not need me to tell you how bad malware is. We all have war stories of critical system outages, angry users and other disruptions to the well-oiled machinery of our enterprise’s technology that occurred because of a particularly nefarious malware incident.

While malware has been a challenge since time immemorial, recent evolutionary changes have occurred that make today’s malware samples a little different from those of the past. Specifically, malware is becoming increasingly “fileless.” Carbon Black noted in its 2017 Threat Report that fileless malware comprised 52% of the attacks observed over the course of the year.1 Likewise, malware is increasingly employing cryptocurrency mining as a monetization strategy. Recent research from McAfee found that coin mining malware increased by 629% in the first quarter of 2018.2 These are obviously very sizeable shifts.

It is important for practitioners to be aware of these trends because that awareness can help inform the defense methods they employ, how they allocate budget and the indicators to look for in finding malware potentially already present in the environment. With that in mind, it is important to explore why fileless malware is on the rise, how and why this is relevant to the shift to cryptocurrency mining malware, and how practitioners might choose to adapt their security programs in response.

What Is Fileless Malware?

Before getting into the nitty-gritty of specific defense strategies or tweaks to security programs, it is important to first level-set what fileless malware is and why malware authors are increasingly employing this technique. For those not familiar with fileless malware, the in-a-nutshell version is that it refers to malware designed to interact with the filesystem as minimally as possible. Fileless malware might, for example, stay entirely memory-resident rather than writing artifacts to the filesystem, leveraging OS-resident tools such as Windows Management Instrumentation3 (WMI—the performance and telemetry-gathering subsystem of Windows) or PowerShell to propagate, execute its payload, or otherwise perform the tasks it is designed to perform.

So, really, fileless malware is just malware that avoids using the filesystem to the greatest extent possible while still achieving its desired ends.

You might legitimately question why malware authors would choose to employ this approach. After all, do they not give up quite a bit of control over the machine if they cannot—or choose not to—write to or modify files? That is true, but the reason why the approach is, nevertheless, compelling from a malware author’s point of view is that avoiding the filesystem helps the malware remain undetected. Since many anti-malware tools operate primarily by searching the filesystem for evidence of a malware infection, malware that can avoid writing to the filesystem provides a correspondingly smaller footprint for anti-malware tools to find and remove it. And this approach works: The Ponemon Institute found that 77% of successful attacks employed fileless methods or exploits to gain access.4 This means that not only can fileless malware be less easily detected, it is also potentially more effective.

It is useful to note that cryptocurrency mining malware can be seen as going hand in hand with fileless malware to a certain degree. To see this in action, consider coin mining malware compared to ransomware (as an example) for economically motivated attackers (i.e., criminals trying to make money through nefarious means). Since their ultimate goal is to convert your resources (i.e., data, central processing unit [CPU] time) into money in their pocket, one strategy to accomplish this is to hold your data hostage and require that you pay them to re-establish access to it. By launching their campaign in this way, they have fairly limited time between when they launch their campaign and when they are likely to be discovered (a ransom message asking for payment is a relatively unambiguous warning sign of compromise). Coin mining malware has the same goal (i.e., converting CPU time on your machines to money in their pocket), but it provides more value to the attacker the longer it can operate in a victim’s environment. That is, the longer it can go without detection, the more profitable it becomes. Since the fileless malware technique has the potential to operate longer without detection, it makes a productive vector for delivery of coin miners.

Program Adaptation

Knowing what fileless malware is and why attackers are motivated to write it is a useful starting point, but it is also useful for practitioners to think through how they might tailor their security programs to account for this shift. There are a few things that organizations can and should think through as fileless malware increases in prevalence.

The first item to consider is how much they can and should seek to lock down the mechanisms that fileless malware typically use to propagate. And, in fact, much of it employs exactly the 2 vehicles highlighted earlier in this article: WMI and PowerShell. This is important to mention because each of these channels provides options to restrict how it can be used. For example, PowerShell can be restricted and monitored more closely via Group Policy by ensuring LogPipelineExecutionDetails is enabled (to log when new scripts are run) and by enabling script block logging5 (available as of PowerShell 5) to create detailed logs of PowerShell script execution in the event log. In combination with a method of reviewing and monitoring those logs, users can gain additional visibility into the substrate upon which fileless malware often seeks to operate. Of course, prior to doing this, organizations should make sure that they are prepared to actually review that information in some way and, if they employ tools to accomplish this, the tools they employ are appropriately prepared for the additional volume of log information that might arise in shops that make heavy use of automated PowerShell processing.

In addition to that, another strategy is to enable protection features in anti-malware software that extend beyond signature-based detection for file system objects. Many anti-malware vendors offer “heuristic” or “behavioral” detection capabilities that may require additional action from administrators to enable. To find and remediate fileless malware, practitioners might investigate which of these features are offered by the malware detection product set they employ. If those features exist, they should enable them and require specific action. If they are not available, they should have a frank discussion with the vendor about future support for the features.

Either way, awareness of the fact that the issue exists and that fileless methods are increasing in popularity is a useful starting point. With awareness comes incorporation of a defensive mindset about fileless malware, specifically, planning efforts and control deployments.

Ed Moyle

Is general manager and chief content officer, Prelude Institute and a founding partner of the analyst firm Security Curve. Prior to that, Moyle was director of thought leadership and research at ISACA. In his nearly 20 years in information security, he has held numerous positions including senior strategist with Savvis, senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers. Moyle is coauthor of Cryptographic Libraries for Developers and a frequent contributor to the information security industry as an author, public speaker and analyst.

Endnotes

1 Carbon Black, Carbon Black 2017 Threat Report, USA, 2017
2 McAfee Labs, McAfee Labs Threats Report June 2018, USA, 2018
3 Microsoft, Windows Management Instrumentation, USA, 2018
4 Ponemon Institute, The 2017 State of Endpoint Security Risk Report, USA, 2017
5 Microsoft, Script Tracing and Logging, USA, 2017