Notoriously difficult to detect, fileless malware carries out its attacks using system tools and in-memory execution techniques. With fileless malware, adversaries do not need to create or install special tools to bypass defenses, conduct reconnaissance, deliver payloads, or execute malicious activities.
What is a fileless malware attack?
A fileless malware attack is a type of cyberattack in which malicious code is executed without downloading or storing files on a target system’s hard drive. Instead of relying on traditional malware files, such as executable files or malicious attachments, fileless malware leverages existing legitimate software, applications, or system processes to carry out its attack. This makes it harder to detect using traditional antivirus solutions, which usually scan for malicious files and helps prevent cyber attacks.
The attacks are typically carried out in the following manner:
- The attacker exploits vulnerabilities in legitimate programs or uses scripting languages like PowerShell or Windows Management Instrumentation (WMI).
- The malware operates entirely in memory (RAM), leaving no trace on the hard drive.
- It often exploits the system’s built-in tools to perform malicious actions, such as lateral movement, data exfiltration, or creating backdoors for further attacks.
How can fileless malware attacks be prevented?
Since fileless malware doesn’t leave a file footprint, it poses a significant detection challenge for traditional signature-based security solutions. To combat this type of attack, advanced threat detection tools and endpoint detection and response (EDR) systems are usually required. Implementing a combination of proactive measures and security best practices can help defend against these sophisticated threats.
- Use Endpoint Detection and Response (EDR) tools: These tools can monitor system behavior for suspicious activity, such as abnormal use of legitimate system processes like PowerShell or WMI (Windows Management Instrumentation).
- Enable memory-based protection: Advanced security solutions that can analyze and detect malicious activity in the memory (RAM) help catch malware that doesn’t leave traditional file footprints.
- Limit PowerShell and WMI use: By restricting the use of tools like PowerShell and WMI to only authorized users or scripts, you reduce the chances of them being exploited by attackers.
- Application whitelisting: Only allow known, trusted applications to run, which helps prevent malicious scripts and applications from executing.
- Patch vulnerabilities: Fileless malware often exploits known vulnerabilities in operating systems and software, so keeping everything up to date is crucial to prevent exploitation.
- Update security software: Regularly updating your security solutions ensures they can identify and respond to the latest malware techniques.
- Limit administrative privileges: Attackers often use administrative accounts to execute fileless malware attacks. By limiting the number of users with admin access, you reduce the risk.
- Enforce least privilege: Ensure that users and applications only have access to the resources they need to function, minimizing potential entry points for attackers.
- Use Intrusion Detection Systems (IDS): Network-based intrusion detection systems can help detect unusual traffic patterns or attempts to exploit vulnerabilities.
- Network segmentation: Segment your network to isolate sensitive systems, which helps limit the spread of fileless malware in the event of an attack.
- Security awareness training: Educating employees about phishing attacks, social engineering tactics, and suspicious email attachments helps prevent malware infections initiated through these vectors.
- Enforce MFA: Multi-factor authentication adds an extra layer of security to accounts, making it more difficult for attackers to gain access using compromised credentials.
Common fileless malware attacks
The following list is a small sample of what’s in the wild. By understanding how they are used—and by whom—you can defend against them. Additional details about each can be found at the MITRE ATT&CK Framework.
1. PowerShell
PowerShell has been a mainstay of malware attacks for many years. Virtually every APT group uses it to download and execute payloads, install back doors and other tools, move laterally, escalate privileges, and conduct reconnaissance.
2. BITSadmin
The Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, file-transfer mechanism commonly used for background tasks such as updates and message delivery. Because BITS tasks are self-contained and don’t require new files or registry modifications, firewalls usually permit them. Adversaries abuse BITS to download, execute, and clean up after running malicious code. BITS can be used to exfiltrate data, download backdoors and malicious payloads, download additional attack tools for lateral movement, and maintain persistence on a system.
The Leviathan cyber espionage group typically uses BITSadmin as it targets defense and government organizations, engineering firms, shipping and transportation, manufacturing, and research universities in the United States, Western Europe, and China. Tropic Trooper is another threat group that often uses BITSadmin in attacks on targets in Taiwan, the Philippines, and Hong Kong.
3. MSBuild.exe
Microsoft Build Engine (MSBuild.exe) is a developer utility that uses XML-formatted project files defining requirements for building various platforms and configurations. As a signed Microsoft binary, attackers use it to bypass application whitelisting defenses and insert code into XML files or execute arbitrary code. Attacks built on the Empire open-source remote administration and post-exploitation framework and the PlugX remote access tool (RAT) commonly use MSBuild.exe.
Many different APT groups use this technique. Chinese threat groups such as APT3, MenuPass, Threat Group 3390, SoftCell, and others are well known, as is DragonOK—a threat group that has targeted Japanese organizations with phishing emails.
4. WMI
Windows Management Instrumentation (WMI) is a Windows feature that provides a uniform environment for local and remote access to Windows system components. For adversaries, it’s a convenient tool for bypassing user account control, dumping credentials, obfuscating data, disabling security tools, copying files remotely, tainting shared content, enabling lateral movement, and delivering payload.
WMI has been used in many infamous ransomware attacks, such as Olympic Destroyer, RobbinHood, NotPetya, and WannaCry. Trojans, such as Astaroth and Emotet, use WMI to execute payloads and other files. Chinese threat groups known for abusing WMI include Soft Cell, Deep Panda, and APT41, while Russian (APT29), Iranian (OilRig), North Korean (Lazarus Group), and cyber crime groups (FIN6) also make extensive use of WMI.
5. Runonce
Runonce abuses Windows Registry keys created by default on Windows systems. The fileless attack technique adds entries to “run keys” in the Registry or startup folder, causing malicious programs to run under the context of the user and his associated permissions. Registry run key entries can reference programs directly or list them as a dependency. Adversaries use Runonce to establish persistence, execute malware, and “masquerade” Registry entries to look like they are associated with legitimate programs.
APT groups from China, Russia, Southeast Asia, Pakistan, Iran, and other countries have used Runonce tactics extensively via malware variants. Well-known variants include Carbanak, Cobalt Group, Emotet, Leviathan, Machete, TrickBot, XBash, and Zeus Panda.
Simulate Fileless Attacks to Boost Defenses
Cymulate simulates fileless attacks like those launched by real adversaries, using legitimate tools to run malicious commands. In each simulation, you receive results tagged to the MITRE ATT&CK Framework, where you can learn more about each threat. Cymulate goes beyond reporting to also provide you with additional guidance on mitigation, detection, and analysis.
Learn more—read about Testing Security Effectiveness with the MITRE ATT&CK™ solution brief, or book a demo.