With fileless attacks on the rise, there still remains a great deal of confusion around the use of the term “fileless” and what it actually means.
Let us clarify what constitutes a fileless attack by understanding common myths and misunderstandings about these:
Myth #1: Fileless attacks never involve files
Perhaps the biggest point of contention and confusion surrounding fileless attacks is that they CAN and often do INVOLVE files, especially during the early initial infection stage. For example, an attack may begin with an employee tricked into opening a Word document they receive in a phishing email, and activating a macro or script embedded inside. That macro or script launches PowerShell, a legitimate framework built into Windows for automating system administration tasks. From there, the attacker uses PowerShell to execute malicious code directly in memory, making the attack from this point forward truly fileless.
Because attacks can have both fileless and file-based components, debating whether they’re truly 100% fileless from start to finish is useless. Terms like “fileless attack” and “fileless malware” are used interchangeably, but they simply imply that such an attack utilizes fileless tactics or techniques at one stage or another. That's it!
Myth #2: Fileless attacks are a brand new threat
Reality is that many fileless techniques have been around for some time. In-memory exploits, for example, date back to the prolific 'Code Red' and 'SQL Slammer' worms of the early 2000s. Metasploit, the open source framework for developing and executing remote exploit code was created in 2003. Mimikatz, a popular penetration testing tool for dumping credentials straight from memory, has been around since 2011. Both have been used to carry out attacks that actively AVOID writing malicious executable files to disk.
One of the reasons we’re seeing such a GROWTH of fileless attacks now, however, is because most antivirus vendors have bolstered their file-scanning capabilities with advances in machine learning. In response, attackers are also revisiting these pre-existing fileless tools and techniques and utilizing them to bypass file-scanning security solutions altogether. Classic cat-n-mouse game!
Myth #3: Only APT and nation-state actors use fileless techniques
Many high-profile fileless attacks conducted in the past have involved sophisticated hacking groups (Stuxnet, Duqu etc.), but now we’re also seeing fileless techniques being incorporated into a far wider variety of attacks such as ransomware campaigns.
Tools and techniques developed by targeted attack groups have a tendency of finding their way downstream. Pentesting frameworks like Metasploit have played a role in accelerating that process.
And some leaks of tools from the Security Vendors, has resulted in these tools becoming readily available for any would-be cyber criminal to use.
For example, On December 8, 2020 FireEye disclosed that they were compromised by a highly sophisticated nation-state group, most likely Russian, that used novel techniques to exfiltrate their red team tools. It said, 300 red team tools that can weaponize more than a dozen of the most popular vulnerabilities is concerning and the successful hack of a respected security organization such as FireEye demonstrates the difficulty of stopping determined and sophisticated attackers.
Whoever stole the tools have increased their offensive capability…
The easy, plug-and-play nature of many such exploits and attack frameworks means there’s really no sophisticated “hacking” required.
Myth #4: Only a small portion of attacks use fileless techniques
The truth is the trend of fileless attacks is on the rise. According to the SANS 2017 Threat Landscape Survey, nearly one third of organizations experienced attacks that leverage fileless techniques in the past 12 months.
It’s becoming especially common to see attacks abuse legitimate system tools like macros, PowerShell, and Windows Management Instrumentation (WMI) to achieve execution, persistence, and spread infections laterally across compromised organizations.
This approach — referred to by experts as “living off the land” — allows attackers to avoid raising red flags by blending in with other authorized system activities and administration. Instead of relying on software exploits or introducing malware onto a machine, they take advantage of the powerful functionality these tools already provide them, and hide their activities in plain sight.
Attackers know a winning strategy when they see one. According to some estimates, nearly four out of 10 successful attacks now involve PowerShell.
Myth #5: Fileless malware is very difficult if not impossible to detect
Genuine fileless malware attacks which either run in-memory or on the hardware itself are indeed very challenging to detect since no signature or file exists to check against. However, given that pure fileless attacks remain relatively sophisticated they mostly represent an edge case. Since the bulk of fileless attacks do require some type of file or data being written to disk at one or more stages of an attack, they can be effectively detected and remediated if you are using the right tools and know what to look for.
Advanced detection techniques such as sandboxing along with behavioural analysis can be highly effective in detecting the majority of hybrid fileless threats.
While true fileless attacks are the exception and not the rule, they do point to a growing trend of new adaptive techniques that threat actors are adopting to avoid detection and gain persistence. As the industry has improved its ability to detect malicious files, there’s little doubt that hackers will find creative ways to exploit legitimate system and network tools to their advantage.
-
Calling ‘fileless’ malware that uses documents or scripts is like calling ‘penniless’ somebody who has several credit cards but no coins in their wallet. Worse, probably…
It is more important to remember that in the broadest sense, a Fileless Attack describes any technique that circumvents the need to download malicious, executable files -- at one or more stages -- by manipulating exploits, macros, scripts, or legitimate system tools instead. Once compromised, these attacks also abuse legitimate systems as well as root-level admin tools and processes to gain persistence, elevate privileges, and spread laterally across the network.
Let us review the graphic given here…
The threats noted as Type II and Type III either require files to establish persistence or use files in some indirect manner. Interestingly, according to this broad definition, Microsoft doesn’t consider the registry itself to be a file which is not technically correct since the registry is stored in files. Consequently, it’s really only in this first tier of threats which is often predicated on low-level access to a system’s hardware that we see attacks that don’t require a file. Thus in reality, the vast majority of so-called fileless attacks do rely on files to either deliver their malicious payload and gain persistence across the various stages of a fileless attack.
Summarizing, there are various techniques of carrying out a fileless attacks. These include:
1. In-memory — By utilizing exploits and code injection techniques, attackers can load and execute malicious code directly in memory.
2. Script based — Scripts can be used as droppers in early attack stages and for a wide variety of post-exploitation activities.
3. Living off the Land — By abusing powerful legitimate system administration tools like PowerShell, Windows Management Instrumentation, PsExec, etc. that are built into Windows, attackers can carry out malicious activities without raising red flags.
4. Registry resident — Attackers can gain persistence on compromised machines by storing malicious scripts in the registry.
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM