Only in Memory: Fileless Malware – An Elusive TTP

Industry data reveals substantial growth in cyber threat actors' (CTAs’) usage of fileless malware and Living off the Land (LotL) techniques over the last few years. 

  • By the end of 2021, WatchGuard's endpoint tools had “already detected about 80 percent of the fileless or living off the land attacks that [they] saw for all of 2020.”
  • In Figure1, we see Symantec’s data from 2019 and 2020 reveals a notable spike in CTAs’ malicious use of legitimate tools during that period.
  • Figure 2 shows how instances of fileless malware and LotL usage are rising in enterprise environments, as the Ponemon Institute learned from surveying IT professionals responsible for managing endpoint risk.

Figure 1: Data from 2019-2020 depicting malicious use of legitimate tools. (Source: Symantec)

Only in Memory Fileless Malware  An Elusive TTP inline graphic 1

Figure 2: Forecast based on the Ponemon Institute’s annual 2020 Study on the State of Endpoint Security Risk survey. (Source: Morphisec)

Only in Memory Fileless Malware  An Elusive TTP inline graphic 2

What is Fileless Malware?

Fileless malware is malicious software that executes in memory, as opposed to traditional malware which writes to disk using malicious executables. After infection, CTAs deploying fileless malware usually leverage legitimate system and admin tools like Windows PowerShell and Windows Management Instrumentation (WMI) to attain persistence by LotL. Once CTAs establish a foothold in the victim’s environment, they can then escalate privileges and move laterally across the network (see Figure 3). Common fileless malware variants include DarkWatchman, Panda Stealer, BitRAT, and AveMariaRAT.

Figure 3: Fileless malware attack chain with examples

Only in Memory Fileless Malware  An Elusive TTP inline graphic 3

Fileless malware runs in memory and leverages trusted tools, so it often appears benign to signature-based antivirus and intrusion detection systems. This allows it to operate undetected, maintain persistence, and leave victim organizations without the proper tooling effectively blind to an ongoing intrusion. Indeed, organizations’ heavy reliance on signature-based tools to defend their networks is likely a significant driver motivating CTAs to attack networks with fileless malware.

Defending Against Fileless Malware

According to the analysis of the Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center (MS-ISAC), CTAs will continue to compromise organizations at an increasing rate in spite of broader organizational defense-in-depth deployment. In fact, their assessment suggests that fileless malware and LotL will rise to 50% of total attacks against enterprise environments in 2022, thereby matching the frequency of file-based attacks for the first time. (This disparity could result from CTAs’ fileless malware use outpacing organizations’ defensive implementations.)

Organizations will put themselves in a significantly better posture against fileless malware by not waiting to prioritize the following:

  • Defense-in-depth: An effective cyber defense against fileless malware would leverage a defense-in-depth strategy that layers essential best practices and tools such as actively maintained firewalls, IDS/Intrusion Prevention Systems, ESS, network segmentation, network and system baselining, the principle of least privilege, log management, strong password requirements, and timely patching.
    • CIS Endpoint Security Services (ESS): Provided by the Center for Internet Security (CIS), this service analyzes endpoint data for suspicious patterns, including those of fileless malware and LotL techniques. It then alerts or blocks anomalous activity depending on the nature of the threat.
    • CIS Critical Security Controls (CIS Controls): A prioritized and recommended set of actions for cyber defense, the CIS Controls provide specific and actionable ways to protect against the most pervasive and dangerous attacks

Other important defenses specific to fileless malware involve employing a combination of AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, restricting PowerShell to only signed scripts, or limiting PowerShell and WMI to specific workstations, limiting macro enabling to only specific accounts who need access, and boot sector protection at the endpoint.

Additional Protection for SLTTs

When it comes to fighting against fileless malware, U.S. State, Local, Tribal, and Territorial (SLTT) government entities need all the help they can get. Fortunately, these organizations can find ample support by joining the MS-ISAC. As members, they'll receive access to regular threat alerts and briefings that explore the threat landscape, including fileless malware's evolution. They'll also join our indicator sharing program that ingests/blocks malicious indicators in real time. This intelligence, as well as MS-ISAC's other resources, will help SLTTs protect themselves against fileless malware going forward.