What is fileless malware?
Fileless malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyberattack. Unlike traditional malware, which typically requires a file to be downloaded and installed, fileless malware operates in memory or manipulates native tools, making it harder to detect and remove. The exploitation of legitimate tools is often referred to as living off the land (LOTL).
Common fileless malware techniques
While attackers don’t have to install code to launch a fileless malware attack, they still need to get access to the environment so that they can modify its native tools to serve their purposes. Attackers can gain access by using:
- Exploit kits
- Registry resident malware
- Memory-only malware
- Fileless ransomware
Exploit kits
Exploits are pieces of code, sequences of commands, or collections of data, and exploit kits are collections of exploits. Adversaries use these tools to take advantage of vulnerabilities that are known to exist in an operating system or an installed application.
Exploits are an efficient way to launch a fileless malware attack because they can be injected directly into memory without requiring anything to be written to disk. Adversaries can use them to automate initial compromises at scale.
Exploit kits usually include exploits for a number of vulnerabilities and a management console that the attacker can use to control the system. In some cases, the exploit kit will include the ability to scan the targeted system for vulnerabilities and then craft and launch a customized exploit on the fly.
Registry resident malware
Registry resident malware is malware that installs itself in the Windows registry to remain persistent while evading detection. In a traditional malware attack, Windows systems may be infected through the use of a dropper program that downloads a malicious file. This malicious file remains active on the targeted system, which makes it vulnerable to detection by antivirus (AV) software. Fileless malware may also use a dropper program, but it doesn’t download a malicious file. Instead, the dropper program itself writes malicious code straight into the Windows registry.
The malicious code can be programmed to launch every time the OS is launched, and there is no malicious file to discover — the malicious code is hidden in native files not subject to AV detection.
The oldest variant of this type of attack is Poweliks, but many variants have emerged since then, including Kovter and GootKit. Malware that modifies registry keys is highly likely to remain in place undetected for extended periods of time.
Memory-only malware
Memory-only malware resides only in memory. An example of memory-only malware is the Duqu worm, which can remain undetected because it resides exclusively in memory. Duqu 2.0 comes in two versions; the first is a backdoor that allows the adversary to gain a foothold in an organization. The adversary can then use the second version of Duqu 2.0, which offers additional features such as reconnaissance, lateral movement, and data exfiltration. Duqu 2.0 has been used to successfully breach companies in the telecom industry and at least one well-known security software provider.
Fileless ransomware
Adversaries do not limit themselves to one type of attack. They use any technology that will help them capture their payload. Today, ransomware attackers are using fileless techniques to embed malicious code in documents. They accomplish this by using native scripting languages such as macros or by writing the malicious code directly into memory through the use of an exploit. The ransomware then hijacks native tools like PowerShell to encrypt hostage files without ever having written a single line to disk.
HOW ADVERSARIES USE FILELESS ATTACKS TO EVADE YOUR SECURITY
Download this white paper to learn the detailed anatomy of a fileless intrusion, including the initial compromise, gaining command and control, escalating privileges and establishing persistence.
Download NowStages of a fileless attack
The following are the stages of a fileless malware attack:
Stage #1: Gain access
Technique: Remotely exploit a vulnerability and use web scripting for remote access (e.g., China Chopper)
The attacker gains remote access to the victim’s system to establish a beachhead for their attack.
Stage #2: Steal credentials
Technique: Variety of techniques (e.g., Mimikatz)
Using the access gained in the previous step, the attacker now tries to obtain credentials for the compromised environment, allowing them to easily move to other systems in that environment.
Stage #3: Maintain persistence
Technique: Modify registry to create a backdoor (e.g., Sticky Keys bypass)
Now, the attacker sets up a backdoor that will allow them to return to this environment without having to repeat the initial steps of the attack.
Stage #4: Exfiltrate data
Technique: Use file system and built-in compression utility to gather data, then use FTP to upload the data
In the final step, the attacker gathers data and prepares it for exfiltration, copying it in one location and then compressing it using readily available system tools such as Compact. The attacker then removes the data from the victim’s environment by uploading it via FTP.
How to detect fileless malware
If legacy AV, allowlisting, sandboxing, and even machine learning methods cannot protect against fileless attacks, what’s left? Organizations can protect themselves by taking an integrated approach that combines multiple methods.
Rely on indicators of attack instead of indicators of compromise alone
Indicators of attack (IOAs) allow organizations to take a proactive approach to preventing fileless attacks. Instead of focusing on how an attack was executed, IOAs look for signs that an attack may be in progress. It does not matter whether an action was initiated from a file on the hard drive or from a fileless technique. The only thing that matters is the action performed, how it relates to other actions, its position in a sequence, and its dependent actions. These indicators reveal the true intentions and goals behind the behaviors and the events around them.
IOAs include signs such as code execution, lateral movement, and actions that seem to be intended to cloak their true intent. They look for sequences of events that even fileless malware must execute to achieve its mission.
And because IOAs examine intent, context, and sequences, they can even detect and block malicious activities that are performed using a legitimate account, which is often the case when an attacker uses stolen credentials.
Employ managed threat hunting
Threat hunting for fileless malware is time-consuming and laborious work that requires the gathering and normalization of extensive amounts of data. But because it is a necessary part of protecting against fileless attacks, the most pragmatic approach for the majority of organizations is to turn their threat hunting over to an expert provider.
Managed threat hunting services are on watch around the clock, proactively searching for intrusions, monitoring the environment, and recognizing subtle activities that may go unnoticed by standard security technologies.
How CrowdStrike can prevent fileless attacks in your organization
Fileless techniques are extremely challenging to detect if you rely on signature-based methods, sandboxing, allowlisting, or even machine learning protection methods.
To defend against stealthy, fileless attacks, CrowdStrike uniquely combines multiple threat detection methods into a powerful and integrated approach that delivers unrivaled endpoint protection. The CrowdStrike Falcon® platform delivers cloud-native, next-generation endpoint protection via a single lightweight agent and offers an array of complementary prevention and detection methods:
The Falcon platform’s application inventory discovers any applications running in your environment, helping find vulnerabilities so you can patch or update them and they can’t be the target of exploit kits
Exploit blocking stops the execution of fileless attacks via exploits that take advantage of unpatched vulnerabilities
IOAs identify and block malicious activity during the early stages of an attack, before it can fully execute and inflict damage; this capability also protects against new categories of ransomware that do not use files to encrypt victim systems
Script Control provides expanded visibility and protection against fileless script-based attacks
Accelerated memory scanning protects against fileless and malware-free attacks like advanced persistent threats (APTs), ransomware, and dual-use tools like Cobalt Strike in memory
CrowdStrike® Falcon Adversary OverWatch™ provides managed threat hunting that proactively searches around the clock for malicious activities that are generated as a result of fileless techniques
Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.
