What is "Fileless" Malware & How Can We Stop It?

system monitoring and cybersecurity best practices. But what happens if there is no file? How does a malicious attack get caught? That’s the thought behind fileless attacks which don’t use a file at all and thus can get past several types of file-based protections. During the first half of 2019, fileless malware attacks grew 256%. The reason fileless malware is on the rise is because it's effective at bypassing standard safeguards. It exploits legitimate system programs that can impact a device in a number of ways, such as interacting with different programs. If you don’t include protections against these fileless attacks in your cybersecurity strategy, then you leave yourself at risk of a data breach, ransomware infection, and more.

Fileless Malware Explained Fileless malware uses commands, rather than malware-laden files, to take advantage of legitimate system programs, such as Windows PowerShell. It’s difficult to detect or remove because it doesn’t leave a footprint like other types of malware does. This makes it particularly dangerous, and the use of fileless attacks are 10X more likely to breach a system than file-based attacks. How do fileless attacks leave no footprint? They operate in the memory of a system, rather than on the hard drive. When accessing a powerful task automation tool like Windows PowerShell, fileless malware can abuse the features to gain access to multiple areas of the Windows operating system and execute system and application functions. This allows the attack to do things like:

1. Open the door for a hacker to access a system resource

2. Plant a file-based malware into a specific area of Windows

3. Execute malicious commands that destroy or steal data

4. Spread dangerous code throughout a computer network One famous fileless attack was the Equifax data breach in 2017 that exposed the personal data of millions of users. Using a fileless attack, the hackers exploited an unpatched vulnerability to execute nefarious commands in the system.
   

How Do You Protect Against Fileless Attacks? You can’t use the standard practices that are used to detect malware files on devices and in emails to catch fileless malware. Since this type of attack is very stealthy and difficult to find, you need to use a layered approach that spreads out a net in a variety of ways.

Behavior Monitoring Using advanced threat protection programs that don’t just look for malicious files but look for suspicious system behavior can help detect fileless malware in a system. These types of programs can catch memory-based attacks by looking for any suspicious commands given to other Windows programs or system interactions that are known to be dangerous.

Look for Access Rights Changes One of the tricks that fileless malware uses is to escalate user access rights. This allows a hacker to gain entry to high-level system processes that they normally wouldn’t be able to get into. Setting up systems that provide an alert when access rights are being changed can help raise a red flag that a malicious attack has made its way into the WindowsPowershell.

Application Whitelisting Application whitelisting is the practice of setting up a list of specific users or groups of users that are allowed to run specific system processes. Any user not on the “approved” list is disabled from executing commands on the system for the designated processes. This can help stop fileless attacks because you don’t have to know what user to block, instead, all users except those specifically given permission are blocked by default.

Application Ringfencing Another tactic that goes hand-in-hand with whitelisting is application ringfencing. With ringfencing, you tell applications how they are able to interact with each other and set up specific security policies. So, you might say that a specific application can’t give a command to another that would execute a malware file, which would reduce the capabilities a hacker would have once they unleashed a fileless attack into the system.

Disable Command Programs that Aren’t Needed Not every computer in your office may need to use a command program like Windows PowerShell or something like .NET framework. It’s a good idea to disable Windows programs that aren’t specifically needed to reduce the attack modes that a hacker can use.

Is Your Office Network Safe from a Fileless Attack? Cybersecurity is an ongoing process, which is why you should get an IT security audit regularly. Need help securing your network from fileless attacks? Texas I.T. Pros has your back! Contact us today to schedule a security consultation! Call 940-239-6500 or reach out online.