Fileless malware seems to be rearing its head. So how do you protect your organization against attacks that have no files to scan?
Executing attacks in memory rather than through executable files seems to be coming back strongly. Last year saw some visible attacks e.g. against several banks with this technique, which as such is nothing new, but has now made a comeback.
The term ‘fileless’ is used to describe non-executable malware. These types of attacks are designed to defeat anti-malware technologies that rely solely on detecting maliciousness in executable file types.
The attackers utilize Microsoft’s own tools, such as PowerShell, to carry out memory-based attacks through malicious macros that trigger PowerShell to load the malware onto the machine. Detecting these attacks can be hard, as the macros use evasion techniques and a fileless approach to evade file-based detection.
Macros are essentially useful tools to automate tasks. However, they pose security risks as malware can hide within a seemingly harmless document and can trick the victims into executing malicious code. Typically, the victim receives a document as an email attachment, which when opened requires the recipient to enable macros to read the contents. When enabled, the malware code is executed.
Memory exploits often take advantage of known vulnerabilities. And, as we know, patching vulnerabilities is something that several organizations fail to do in a timely and efficient matter – according to a study we conducted in late 2015, about 70% of organizations lack a patch management solution. Yet, according to a recent Gartner report, “Get Ready for ‘Fileless’ Malware”1), one of the things organizations should do is focus on security hygiene and patch management.
By limiting access to critical resources, such as the Command & Control server, organizations can help minimize the risks caused also by fileless malware. Even if the malware finds its way through to the organization’s network, it cannot do any harm without access to the C&C – something you can control with our Botnet Blocker feature.
We earlier published six tips for avoiding macro-based malware – that advice is still very much valid for fileless malware attacks. Our protection engines, including the behavior-based DeepGuard, already block these attack vectors.
Jose Perez, one of our DeepGuard experts explains:
“DeepGuard offers exploit protection to mitigate the exploitation of legitimate applications. It also offers protection against script-based attacks by blocking the execution of the script. This all is essentially what DeepGuard detection is made of: using behavior indicators of compromise.”