The Rise of Non-Malware: How to Defend Yourself from Fileless Infection

The rise of non-malware

In particular, so-called 'fileless' infections, or 'non-malware', have been on the increase in the last few years. According to research by cybersecurity firm WatchGuard, the number of fileless attacks increased by nearly 900% in 2020 compared with the previous year.

The firm noted these techniques have become popular among hackers as they can often evade detection by traditional endpoint solutions and don't require victims to do anything other than click a link in order to gain entry.

Once into a network using fileless malware, hackers can perform a wide range of activities, from stealing credentials to exfiltrating valuable data. Therefore, tackling the problem should be a priority for any business.

However, many people may not know where to start. For example, figures from Crowdstrike show that while 78% of organizations admit to being concerned about these attacks, 83% of professionals said they wanted more information about the threat.

What is fileless malware?

Fileless malware is malicious software that doesn't hide its malicious code within traditional executable files that are downloaded onto a system. Instead, it uses legitimate tools within the operating system's software, applications and protocols to execute its mission.

One of the most popular targets for this is PowerShell. Research by Norton suggests malicious PowerShell scripts account for 89% of fileless attacks. These work by embedding malicious code into legitimate PowerShell scripts, so as the software runs through its normal processes, it’ll also activate the hackers' code.

Non-malware threats can enter a system in a number of other ways. For example, if a user clicks on a malicious link in a phishing email, they load to the device's memory. This allows hackers to remotely load codes via scripts that capture and share your confidential data.

Malicious code can also be injected into applications you already have installed, such as Microsoft Office or JavaScript, or if a user visits a fraudulent website which looks for vulnerabilities in plugins.

Since there’s no executable file for antimalware software to detect and it uses only native tools, it can be very hard to stop. Fileless malware is often written to the memory rather than the hard drive, meaning it leaves little trace of its presence. What's more, as in-memory data is wiped when the system reboots, it can be very hard for a forensic analysis to determine what’s happened.

3 types of fileless malware you need to know

The first step to defending yourself against non-malware attacks is to understand how they work and what they involve. Once you know what to look for and what parts of your system they target, you can start working on prevention, detection and mitigation strategies. Here are three of the most common fileless malware techniques:

Memory code injection

This technique hides malicious code within the memory of legitimate applications, leveraging known vulnerabilities in software such as Java or Flash to gain entry. Once securely in-memory, it distributes and reinjects itself into critical Windows processes, taking advantage of the fact that code within these processes is trusted by the system.

Windows registry manipulation

This type of fileless attack is similar to memory code injection, except instead of hiding in-memory, it installs itself into the Windows registry, enabling it to remain persistent as well as undetected. These threats can activate every time the operating system is launched and, as antivirus tools don’t typically look at the registry, can remain hidden for long periods of time.

High-profile examples of registry manipulation include Kovter and Powelike, which can transform infected systems into botnets by connecting with websites and click-through ads.

Script-based techniques

Script-based techniques may be completely or semi-fileless, and inject malicious scripts into tools such as PowerShell. One example of this is the SamSam ransomware, which is especially hard to analyze as its payload is run-time decrypted. This makes it difficult to find a sample of the payload code, which the ransomware is always evolving, meaning it's more challenging to defend against.

Another example is Operation Cobalt Kitty, an advanced persistent threat that used malicious PowerShell scripts to target a large corporation in Asia. It used a spear-phishing campaign to inject dozens of PCs and servers and went undetected for months.

Key fileless malware mitigation strategies to deploy

Since fileless malware doesn't obey the 'normal' rules of threats such as viruses and Trojans, it can be very hard to detect with traditional antimalware programs. Therefore, your first line of defense needs to be a modern endpoint detection and response solution.

These should be able to continuously monitor your network, looking for Indicators of Attack (IOAs) that might be a sign you're being infected with fileless malware. These look for sequences of events such as code execution, lateral movements, and actions that appear to cloak their true intent.

Because IOAs are looking at the intent, context, and sequence of activities within your network, not just at the perimeter, they can detect and block malicious activities that are performed using legitimate tools or accounts, which is often the case when an attacker uses stolen credentials and takes advantage of technologies like PowerShell.

Many fileless malware attacks rely on human error in order to infect systems, so make sure you regularly patch software, train users on how to spot suspicious emails, and be careful about what they download. Prevention is better than cure, so ensuring your employees are familiar with the basics is always the first step.

Further reading:

• A Guide to Replacing Antivirus with Advanced Endpoint Security
• NGAV and EDR: The Yin and Yang of Modern Cybersecurity
• Top 5 Reasons You Need EDR