“These sophisticated attacks avoid detection and maintain persistence by borrowing the propagation and anti-forensic techniques seen in the complex nation state attacks of the past”
Businesses face a growing risk from fileless cyberattacks, Malwarebytes researchers have warned in a new report.
Fileless malware accounted for 35 percent of all attacks in 2018 according to research carried out by the Ponemon Institute.
Malwarebytes researchers believe that there has been a shift in the way threat actors develop and deploy malware, with a rapid shift toward numerous highly dynamic attacks that are frequently modified to avoid detection by standard security products.
Fileless malware attacks often use default Windows tools to commit malicious actions or move laterally across a network to other machines. The most common Windows tools used in these types of attacks are PowerShell and WMI, which are installed on nearly every Windows machine.
PowersShell is a scripting language that when used by threat actors can give them unrestricted access to Windows APIs and system inner core.
Fred O’Connor researcher at endpoint security company Cyberreason commented in a blog that: “PowerShell’s ability to run remotely through WinRM makes it an even more appealing tool. This feature enables attackers to get through Windows Firewall, run PowerShell scripts remotely or simply drop into an interactive PowerShell session, providing complete admin control over an endpoint.”
He also notes that if WinRM is not on, it can be turned on remotely through WMI using a single line of code.
Recently attackers started sending PowerShell script embedded in Windows Office documents out in phishing campaigns. Once opened a specially-crafted setting file starts to run malicious code on the infected computer. This attack completely circumvents the system’s security measures and can remain undetected for some time.
Malwarebytes researchers state that: “These have had success in attacking businesses because the majority of past and present security solutions are designed to detect file-based malware.” Fileless malware attacks are ten times more likely to be successful than traditional file-based attacks.
As these types of attacks completely circumvent system security and then place a hidden malicious code on the system they are becoming the weapon of choice for threat actors.
“These sophisticated attacks avoid detection and maintain persistence by borrowing the propagation and anti-forensic techniques seen in the complex nation state attacks of the past,” Mawarebytes comment.
Attackers are continually changing their methods to move around the security measures deployed by enterprise. Fileless attacks allow them to completely own a system and if they are carried out correctly they can go undetected for a considerable amount of time.
One of the best defense against them is to always be aware of what you are using and opening on your systems.
Malwarebytes believe that to protect computers in future: “We need every aspect of the computing experience to be monitored and secured, including incoming and outgoing traffic to which processes can run and even which files can be downloaded.”