Executing attacks in memory rather than through executable files seems to be coming back strongly. Last year saw some visible attacks e.g. against several banks with this technique, which as such is nothing new, but has now made a comeback.
Andy Patel from F-Secure Labs explains:
The term ‘fileless’ is used to describe non-executable malware. These types of attacks are designed to defeat anti-malware technologies that rely solely on detecting maliciousness in executable file types.
The attackers utilize Microsoft’s own tools, such as PowerShell, to carry out memory-based attacks through malicious macros that trigger PowerShell to load the malware onto the machine. Detecting these attacks can be hard, as the macros use evasion techniques and a fileless approach to evade file-based detection.
The F-Secure “State of Cyber Security 2017” report explains macros: Macros are essentially useful tools to automate tasks. However, they pose security risks as malware can hide within a seemingly harmless document and can trick the victims into executing malicious code. Typically, the victim receives a document as an email attachment, which when opened requires the recipient to enable macros to read the contents. When enabled, the malware code is executed.
Memory exploits often take advantage of known vulnerabilities. And, as we know, patching vulnerabilities is something that several organizations fail to do in a timely and efficient matter – according to a study we conducted in late 2015, about 70% of organizations lack a patch management solution. Yet, according to a recent Gartner report, “Get Ready for ‘Fileless’ Malware”1), one of the things organizations should do is focus on security hygiene and patch management.
By limiting access to critical resources, such as the Command & Control server, organizations can help minimize the risks caused also by fileless malware. Even if the malware finds its way through to the organization’s network, it cannot do any harm without access to the C&C – something you can control with our Botnet Blocker feature.
We earlier published six tips for avoiding macro-based malware – that advice is still very much valid for fileless malware attacks. Our protection engines, including the behavior-based DeepGuard, already block these attack vectors.
Jose Perez, one of our DeepGuard experts explains:
DeepGuard offers exploit protection to mitigate the exploitation of legitimate applications. It also offers protection against script-based attacks by blocking the execution of the script. This all is essentially what DeepGuard detection is made of: using behavior indicators of compromise.
1 ) Ian McShane, Peter First, 13 February 2017
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.