You’ve installed all the latest antivirus programs and firewalls for your SMB clients, and their networks are safe and sound. When things are working well, a calm status quo makes everyone happy. Unfortunately, a placid surface doesn’t necessarily mean there’s not something lurking beneath, and part of your job is to be on alert constantly.
Brady S. Morgan is a recent graduate of Purdue University’s computer and information technology program, and while he was taking a course entitled “Cyber Forensics of Malware” he became interested in an often overlooked phenomenon, one of those “lurking beneath the surface” trouble-makers: fileless malware.
Morgan presented his research about the phenomena in a display at Purdue’s 2017 annual Center for Education and Research In Information Assurance and Security (CERIAS) symposium and recently explained to SmarterMSP why the problem of fileless malware is growing.
“Fileless malware is harder to detect than more conventional forms of malware while still being capable of delivering devastating payloads.”
“The reason fileless malware is such a threat, is that it is harder to detect than more conventional forms of malware while still being capable of delivering devastating payloads. This is because it doesn’t leave files on the drive, it operates and persists through the execution of shellcode, the manipulation of running processes, and a series of registry changes,” Morgan says.
Fileless malware versus traditional malware
To better understand this growing threat, SmarterMSP turned to Justin Sleight, an IT Systems Integration Analyst in Boise, Idaho who has written about and studied fileless malware.
“Fileless malware differs from traditional malware in that it is not saved to a disk, and then executed,” Sleight says. And that’s bad news. That means that traditional off-the-shelf anti-virus programs are ineffective against this type of attack (and cybercriminals know it).
“Instead, the malware will try several methods of executing within the memory of the target system. The state of the malware, usually until the point of privilege escalation, is strictly memory-resident,” Sleight says.
This attack will often happen via a delivery method such as an infected website with a malicious flash-based vulnerability. Or even through a PDF or Microsoft Office Document vulnerability that opens only within the confines of the browser, Sleight explains.
Moreover, it is a browser-based attack that makes it such a threat because everyone uses browsers. Fileless malware simply needs to execute once a malicious site is visited, which can come in the form of a link in an email, or through a rogue advertising network. And, to be non-technical, that is a big “yikes.”
How to keep your SMBs safe from fileless malware
So, what can your MSP do to keep your SMBs safe? Fortunately, several steps can be taken according to Sleight:
– Simple changes can be made to Group Policy for domain-connected clients, such as preventing and restricting Powershell execution, and limiting the use of Windows Management Instrumentation (WMI framework). Both are common paths and tools used by fileless malware to execute privilege escalation within the operating system.
– Make sure your clients are utilizing behavior-based antivirus scanners and ensure that in-memory scanning is enabled for all clients.
– A virtual threat execution enclave can assist in providing valuable insight into how malware will act in relation to memory, disk access, and possible privilege escalation attempts before the malware reaches a client.
Sleight says these prevention techniques should be in concert with an already robust endpoint security framework that includes ad-blocking, disk scanning, and other fundamental measures. Some experts say warding off in-memory attacks needs to take place, not at the user level but at the kernel. However, both user and kernel would be optimum.
“Protecting against any sort of malware is a multi-step and multi-level process,” Sleight says. An example of multi-level protections would be running behavior analysis-based malware scanning engine as part of an AV solution, and the employment of traditional network protection techniques such as timely patching.
“Kernel level protection is important, and we are starting to see the possibility of kernel-level protection and detection being put into place both within the Windows Defender (exploit guard) product framework this year,” Sleight says. “An in-memory attack is something that any SMB could experience,” Sleight says.
Any SMB or Enterprise organization could find themselves as the victim of such an attack. Windows systems stand to be especially vulnerable because of their integration PowerShell and WMI. Linux in-memory malware can also utilize attack vectors such as flash vulnerabilities to load this type of malware, Sleight explains.
In-memory attacks are going to keep increasing
Some cringe at the term “fileless malware” because it’s not entirely accurate. Sleight offers the term “in-memory attack” as an alternative. Whatever you want to call it, experts believe that these in-memory attacks are simply going to increase.
“The future of the business PC will only become more reliant on the web browser as a central focus of application delivery to the endpoint and client. Fileless malware will most likely use the browser as an increasingly widening attack surface as users spend more and more time in a browser instead of a native or local application,” Sleight says.
That is an assessment that Purdue graduate Morgan agrees with. “I would definitely expect the threat of fileless malware to grow in the coming years as it becomes more common and the attack adapts to any detection methods that arrive. It’s already a versatile form of malware, and I wouldn’t expect that to change.”
Photo: igorstevanovic / Shutterstock.