“We see it every day,” says Steven Lentz, CSO at Samsung Research America. “Something coming through, some exploit type, unknown ransomware. We’ve stopped several things with our defenses, either network-wise or at the end point.”
The attacks that Lentz is worried about are fileless attacks, also known as zero-footprint attacks, macro, or non-malware attacks. These types of attacks don’t install new software on a user’s computer, so antivirus tools are more likely to miss them.
Fileless attacks also evade whitelisting. With whitelisting, only approved applications are allowed to be installed a machine. Fileless attacks take advantage of applications that are already installed and are on the approved list. However, the terms “fileless,” “zero-footprint,” and “non-malware” are technically misnomers since they often depend on users downloading malicious attachment files, and they do leave traces on the computer if you know what to look for.
“Fully zero-footprint malware doesn’t truly exist, as there are ways to detect malware even if it doesn’t install itself on hard drives,” says Cristiana Brafman Kittner, senior threat intelligence analyst at FireEye, Inc. In addition, they don’t evade antivirus completely, since antivirus might still be able to spot the malicious attachment or malicious link, even if there’s no executable installed.
Attackers know that with a fileless attack, they stand a higher chance of getting in. “That’s where the real threat is,” says Lentz. To catch the ones that do slip through, Samsung Research relies on behavior-based systems, including endpoint protection from Carbon Black. For example, when visitors connect to the company’s network, the defenses are able to spot malware that the users’ antivirus tools had missed. “We found keyloggers and password-stealing programs on visitor laptops,” says Lentz.
Fileless malware a growing threat
The rate of fileless malware attacks increased from three percent at the beginning of 2016 to 13 percent last November, according to Mike Viscuso, CTO at Carbon Black, Inc. “And we have continued to see it increase,” he says. “We see as many as one in three infections have a fileless component.”
Since not all Carbon Black customers choose to block attacks, but opt for alerts instead, Viscuso can see that fileless attacks actually have an even bigger impact. “More than half of all attacks that are successful are fileless,” he says.
Some customers also use honeypots, or even leave parts of their network without advanced behavior-based protections, he says, so they can watch for attacks and then track what the attackers are after, and how they’re spreading. “They can make sure the rest of their environment is ready for the attacks,” he says.
In a recent Carbon Black analysis of more than a thousand customers, which included more than 2.5 million endpoints, virtually every organization has been targeted by a fileless attack in 2016.
Viscuso says that fileless attacks make a lot of sense for the attackers. “I spent ten years as an offensive hacker for the US government, with the NSA and CIA,” he says. “So, I approach most conversations from the attacker mindset.”
From the attacker’s perspective, installing new software on a victim’s computer is something that’s likely to draw attention. “If I don’t put a file on this victim’s computer, how much scrutiny do you undergo?” Viscuso asked. “That’s why it’s so much more damning when an attacker chooses to use a fileless or in-memory attack. They undergo far less scrutiny and are far more successful in their attack.”
There’s no loss of capability, Viscuso adds. “The payloads are exactly the same.” For example, if the attacker wants to launch a ransomware attack, they can install a binary file, or they can use PowerShell. “PowerShell can do everything that a new application can do,” he says. “There are no limitations in the attacks I can conduct in memory or with PowerShell.”
McAfee is also reporting an increase in fileless attacks. Macro malware, which accounts for a significant chunk of fileless malware, increased from 400,000 at the end of 2015 to over 1.1 million during the second quarter of this year. One of the reasons for the growth is the emergence of easy-to-use toolkits that include these types of exploits, says Christiaan Beek, lead scientist and principal engineer on strategic research at McAfee LLC.
As a result, the use of fileless attacks, which was previously mostly limited to nation states and other advanced adversaries, has been democratized, and is now common in commercial attacks as well. “The cybercriminals have taken this over to spread ransomware,” Beek says.
To combat these attacks, McAfee and other major antivirus vendors have been adding behavior-based analytics on top of the traditional signature-based defenses. “For example, if Word is executed at the same time as we see a PowerShell connection, that’s highly suspicious,” he says. “We can quarantine that process, or decide to kill it.”
How fileless attacks work
Fileless malware leverages the applications already installed on a user’s computer, applications that are known to be safe. For example, exploit kits can target browser vulnerabilities to make the browser run malicious code, or take advantage of Microsoft Word macros, or use Microsoft’s Powershell utility.
“Software vulnerabilities in the software already installed are necessary to carry out a fileless attack, so the most important step in prevention is patch and update not only the operating system, but software applications,” says Jon Heimerl, manager of the threat intelligence communications team at NTT Security. “Browser plugins are the most overlooked applications in the patch management process and the most targeted in fileless infections.”
Attacks using Microsoft Office macros can be thwarted by turning off the macro functionality. In fact, it’s off by default, says Tod Beardsley, engineering manager at Rapid7 LLC. Users have to specifically agree to enable the macros in order to open these infected documents. “Some percentage of people will still open it, especially if you’re spoofing someone already known to the victim,” he says.
The recent Equifax breach is also an example of a fileless attack, according to Satya Gupta, founder and CTO at Virsec Systems, Inc. It used a command injection vulnerability in Apache Struts, he says. “In this type of attack, a vulnerable application does not adequately validate users’ input, which may contain operating system commands,” he says. “As a result, these commands can get executed on the victim machine with the same privileges as those of the vulnerable application.”
“This mechanism totally blindsides any anti-malware solution that is not looking at the application’s execution path to determine if the application is not executing its natural code,” he adds. Patching would have prevented the breach, since a patch was released in March.
Earlier this year, a fileless attack infected more than 140 enterprises, including banks, telecoms, and government organizations in 40 countries. Kaspersky Labs found malicious PowerShell scripts in the registry on their enterprise networks. According to Kaspersky, detection of this attack was only possible in RAM, network and registry.
Another high-profile fileless attack, according to Carbon Black, was the hack of the Democratic National Committee. For attackers looking to stay undetected as long as possible, fileless attacks help them stay under the radar.
“We have observed a number of cyber espionage actors leveraging this technique in attempts to evade detection,” says FireEye’s Kittner. Recent attacks include those by Chinese and North Korean teams, she says.
A new commercial application of fileless attacks is to use infected machines to mine Bitcoin. “Crypto miners are trying to run miners loaded directly into memory, using Eternal Blue to spread hundreds of thousands of miners throughout a company,” says Eldon Sprickerhoff, founder and chief security strategist at eSentire Inc.
The difficulty of mining Bitcoins has been increasing over time, much faster than the increase in the value of the virtual currency. Bitcoin miners have to buy specialized hardware and cover the electric bills, so it’s getting very difficult to make a profit. By hijacking corporate PCs and servers, they can eliminate both of those costs.
“If you can max out a huge multi-way CPU, it’s so much better than someone’s laptop,” he says. Sprickerhoff recommends that companies look for unusual CPU usage as a possible indicator that Bitcoin mining is going on.
Even behavioral analytics systems won’t be able to detect all fileless attacks, says Rapid7’s Beardsley. “You depend on noticing when unusual events start happening, like my user account gets compromised and I start connecting to a bunch of machines I haven’t been communicating with before,” he says.
It’s hard to catch these attacks before they trigger the alerts, or if they do something that the behavioral algorithms don’t watch out for. “If the adversary is putting in a lot of effort in being low and slow, it’s much harder to detect [the attack],” he says. “With the things we see, that could be selection bias — we only see the clumsy ones because that’s the ones that are easiest to see. If you’re super-stealthy, I’m not going to see it.”