In Pursuit of Invisibility: Fileless Malware
I recently heard a news story about a survey in which people were asked whether they would prefer to the ability to fly or to be invisible. Sure, it was a silly question*, but it was interesting to hear why people made their choices. The majority chose flight. What really fascinated me was that the survey’s authors believed that most people would have actually preferred to be invisible. But, they chose flying because they associated invisibility with unethical and criminal behavior.
That association, of course, got me thinking about security. Being invisible is what cyber criminals strive to be, and the development of fileless malware helps them getting pretty close.
Fileless malware is a type of memory-resident malware. As the term suggests, it is malware that operates from a victim system’s memory, not from files on the disk. This makes it more difficult to detect because there are no files to scan. And it makes forensics more difficult because the malware will just disappear when the victim computer is rebooted.
Fileless malware can find its way into a network through phishing, malicious web sites, etc., just as any other kind of malware would. The difference is that there is no executable file installed or run at the time of infection. That’s the fileless part. The malware then runs in system memory and manipulates administrative utilities like Windows PowerShell and Windows Management Instrumentation (WMI) to do its work. Because of many security technologies explicitly trust these utilities, the malware stays under the radar and its activities appear benign.
Our Cisco Talos threat intelligence team blogged about a creative example of fileless malware they called DNSMessenger in late 2017. (You can read their full blog post on DNSMessenger here) The attackers sent a compromised Word document to their victims through email and enticed users to enable macros in the document. Once enabled, a macro launched a Windows PowerShell script to reach out to specific Internet domains via WMI. The malware received further instructions from the DNS TXT files associated with those domains.
Traditional file-centric malware detection technologies would not have detected this threat because there were no files installed. Because the malicious instructions were cleverly placed in DNS records external to the victims’ networks. While everything would have appeared normal from a file-based perspective, it would have taken close monitoring of DNS traffic to detect the threat.
Another technique used by fileless malware authors is to put encoded commands in one or more specific Windows Registry keys. The Registry is not an area where security products tend to look for malware. It’s trusted. So, if a PowerShell script reads a registry key, that activity doesn’t appear to be out of the ordinary. What is out of the ordinary is that Registry keys aren’t normally encoded. Again, file-based malware detection would miss such a threat, but endpoint protection that looks for obfuscated Registry keys would be needed.
These are just a couple of examples of how far attackers have come in exploiting trusted processes and in taking advantage in the gaps between isolated security technologies.
Attackers won’t just try one attack vector and give up if that doesn’t work. They’ll jiggle every door knob, check every window, and see what can fit under the door in order to gain a foothold in your network. And those gaps in protection help them do just that. So logically, one security technology will not defend against all variations of these attacks. Phishing attacks need to be blocked. Malicious attachments need to be stripped from emails. Traffic to bad domains needs to be stopped. Network traffic needs to be monitored for anomalies inside and outside of the data center to the endpoints. And when a threat is detected through one attack vector, that intelligence needs to be shared across all defensive technologies, preferably through automated means.
The good thing is, we do all of these things and more. First, we have developed indicators of compromise for fileless malware such as detecting unusual content in DNS requests or unusual Windows Registry key content that could be used to obfuscate malicious commands.
Next, consider that we gather telemetry from hundreds of billions of emails, over 100 billion DNS requests, and analyze close to 2 million malware samples every day. We conduct research using thousands of honeypots, through reverse engineering malware, and conducting vulnerability research. Because our research encompasses network, endpoint, web, cloud, email, and files, we see more and can detect more. All of the output from our research ends up in the content of our entire security product portfolio that protects you.
If you’d like to learn more about fileless malware, be sure to read the Talos blog post linked above and their follow up post available here. Both posts include a list at the end of the ways we help mitigate the threat of fileless malware. And as always, we’d love to share our technology with you through an instant online demo or a personalized demo with one of our security experts.
* Me? I’d choose flight. No, really.
Love these types of posts? Subscribe to the Threat of the Month blog series and get alerted when new threats are identified.