Maksim Kabakou - Fotolia
Fileless malware is a form of malware that resides solely in memory and leaves little or no evidence on the hard disk. A truly fileless attack could be an exploit on a website using Java vulnerabilities to download code into memory and execute it through the browser’s own process. The malware then continues to run in memory after the browser is closed, setting up command and control channels and downloading and running other payloads in memory.
This malware would be ephemeral, not surviving a reboot, but would be around long enough to mount a ransomware attack, and could also persist on mobile devices that are not powered down regularly.
To increase persistence for more sophisticated attacks, attackers are now utilising built-in scripting, service management and other tools to download malware directly into memory following a reboot. The use of only legitimate tools ensures that no evidence is left on the hard disk, or other storage media, making it impossible to detect using traditional antivirus systems.
Forerunners to this have been around since at least 2012, but these used a simple downloader for persistence and then downloaded and ran the malicious code in memory. Although there was still no malicious code to detect on disk, there was at least a downloader. These were very sophisticated attacks at the time, but exploit kits such as Angler now make fully fileless attacks available even to low-skilled attackers.
These attacks leave nothing that a standard antivirus system would detect, but there are still measures that can be taken to protect against this form of malware and to detect its activity, both on the host machine and through network monitoring. Prevention is always better than cure, so good housekeeping, such as patching and blocking malicious sites, is always the first step. Lateral transfer should also be countered by blocking connections by administrative tools from unauthorised hosts.
In terms of active detection, fileless malware needs to make the same command and control connections as other malware. Even an ephemeral ransomware attack will need to make contact to transfer an encryption key and other information. Network monitoring can detect suspicious traffic of this kind and connection attempts to known bad sites can be flagged up or blocked.
Read more Security Think Tank articles about dealing with fileless malware
For hosts, although signature-based anti-virus systems are ineffective, most modern antivirus suites incorporate one or more behavioural or heuristic detection measures. These can detect malicious events and behaviours, alerting the user to the presence of malware even if it is memory resident. Where PowerShell, or other scripts are launched as a service, this can also be detected by monitoring services and scanning registry entries.
Because of the lack of evidence on the hard disk, cleaning up an attack using memory resident malware can be more problematic. If it is truly ephemeral, simply rebooting can work for the individual host, but you still need to keep monitoring to ensure it is gone. Memory analysis tools – available to most incident and forensic responders – can be useful to detect and analyse the malware, and inform the remediation plan.
In summary, prevention of these attacks is largely through standard housekeeping. Detection is more difficult, but can be addressed using standard host and network security tools. The bigger problem is response, due to the lack of evidence available about the attack, such as what exactly has been done, or taken. Attribution can also be more difficult when there is no malware to analyse. None of this is impossible, but it is more time-consuming and complex, so it is always best to try to stop or contain these attacks as early as possible.