“Gold Dragon made its way into systems through hackers sending spoof malware-laden emails and establishing channels back to their servers using a PowerShell implant”
Fileless Malware is increasingly becoming a favoured attack vector with new strains such as ‘vaporworms’ rapidly entering the hackers’ toolbox.
According to McAfee, attacks using fileless techniques grew by 432 percent in 2017, a huge increase compared to relatively small gains for other variants.
As opposed to traditional malware that relies on software being installed on a victim’s PC, fileless malware is popular because it hijacks or shuts down tools that are built into the operating system and weaponises the operating system against itself. Then, because the malware is ingrained into the system, there is no signature for security software to detect.
Enter the Dragon
A noteworthy example of fileless malware was ‘Gold Dragon’, an attack that hit the 2018 Winter Olympics in Pyeongchang, South Korea as a part of a wider campaign from cybercriminals to disrupt the games.
Gold Dragon made its way into systems through hackers sending spoof malware-laden emails and establishing channels back to their servers using a PowerShell implant (a scripting language that allows access to the operating system’s inner workings).
Once inside, hackers would gather files on the system, encrypt the data and then send it to a remote server. As it was utilising the tools built into Windows, Gold Dragon acted as a reconnaissance tool and downloader for subsequent payloads. (It is unknown as whether Gold Dragon provided the reconnaissance needed to inflict the ‘Olympic Destroyer’ malware which caused mass disruption at the start of the games, but this is very possible.) Other similar implants such as Ghost419 and Brave Prince all acted in a similar manner with shared elements, code and behaviour.
On a more technical level, fileless malware like Gold Dragon functions by surveilling the directories in a system’s Desktop folder, recently accessed files, and in the system’s %programfiles% folder (the folder where non-operating system applications are installed). It pools this information together with the ixe000.bin file (a key part of the operating system’s identity), the system details, the current user’s UserProfiles and registry key and value information for the Run key (one of seven; part of the registry, a hierarchical database housing settings that run the Windows operating system, its services and Windows-supported applications).
All of this data is then encrypted and sent to a remote control server using a specific HTTP POST request method. The fileless malware can then check a system for any antivirus or cleaner products and terminate them to evade detection. Essentially, hackers can put a man behind enemy lines in order to get a full view of how then to exploit a system. It is worth noting that most fileless malwares should not be classed as fully fledged spyware, as they only have limited functionalities for data-gathering.
To put it into a relatable scenario, think of the a fileless malware-supported attack like a high-tech heist in an action movie (like the first Mission Impossible film).The traditional malware which directly attacks a system is the man on the ground, going in and out of the facilities to steal the confidential and classified government secrets.
Meanwhile, fileless malware is the technical whizz who is sat at a computer in a van outside, has scouted the location ahead of time and is turning off all the alarms and trip wires to make sure that the man inside can get in and out in a tense, but ultimately successful, mission.
It is therefore quite plain to see why hackers are increasingly turning to fileless malware variants. With security software becoming more adept at identifying and eliminating the threats posed by a wide range of malware, cybercriminals are looking for anything that can give them an edge.
It’s also easier for hackers to use fileless malware to exploit the flaws in a system’s operating system and turn the system against itself than it is to attempt to work around security software. To go back to the heist metaphor – what makes more sense: acrobatically dodging through a hallway of laser wires that, if tripped, would set off an alarm… or turning the alarm system off altogether?
Fileless malware attacks are easier to conduct, harder to detect, and often more effective than traditional attacks. In fact, the Ponemon Institute’s 2017 State of Endpoint Security Risk Report found that fileless malware attacks are ten times more likely to succeed than file-based attacks.
Preventing Fileless Infection
As alluded to earlier, traditional AV solutions (while being useful when fighting against other forms of malware) are of little use when it comes to fileless malware, as it is unidentifiable. The way that AV software identifies a threat and stops it from acting is by looking for several indicators through daily or weekly scans.
These methods can include identifying suspicious Heuristics (what the file does), Signatures (data used to identify or verify the contents of a file), or other indicators such as reputation (the status as safe or unsafe file formats that are subject to carrying unsafe code), DNS (a directory of domain names) or registry (non-container objects similar to files stored in a hierarchical database that of low-level settings) changes made, but the challenge posed is that fileless malware never creates a file, rendering file-based detection methods redundant.
Despite the looming threat that comes from the concept of hackers getting at the core foundations of a user’s operating system, fileless malware can be prevented through diligent patch management.
Users might complain about the long-winded updates they are faced with on a routine basis, but these regular updates are a vital part of protecting a PC from threats. Administrators should make their system users aware that patching is the fundamental way to reduce cyber risk. It reduces the attack surface and fixes any vulnerability that may be inherent in the operating system’s makeup and exploitable by fileless malware.
Organisations can also keep their systems protected from fileless malware or any other emerging threats by employing a multi-layered security approach.
When looking at security and patch management, IT administrators should look for a layered security solution that lets them proactively monitor, evaluate, remediate, verify, defend, and fortify your network infrastructure and resources. Much more than simply managing patches, a complete security management solution can scan for and remediate the most prevalent types of security exposures and risks that continually threaten the health and performance of managed devices. Utilising a layered solution that fits that bill is the best method of reducing the threat of fileless malware.
Fileless malware continues to evolve post-Winter Olympics. New strains are being developed all the time, such as GandCrab and SamSam, as this is yet another sophisticated technique that hackers are using to slip through the security net and inflict increasingly dangerous attacks. The mission for organisations (and they should choose to accept it) is to make sure the PCs on their networks are fully patched and protected.