Without a Trace: The Dangers of Fileless Malware

Every day, wars are being waged on invisible battlefields. The enemy is hiding and stealthily leveling its attacks from within.

This formidable foe isn’t an opposing army. It may very well be a single malicious actor, or a state-sponsored group of hackers. Without a trace of their tools left on the disk, hackers are storing the code in memory–resulting in infamous Fileless Malware. The most common ways attackers achieve this is by 1) loading the payload from disk into memory, then removing the file from disk, or 2) injecting the code directly to memory of an existing process. If successful, the spoils of their attacks include sensitive data and business intelligence that has potentially been collected and stored over a long period of time.

The outcome? A best case scenario is a tarnished reputation; the worst, significant (and potentially irreparable) damage to a brand and its business. Attacks like these can cripple an organization without its security team ever knowing it.

Organic searches for the term ‘fileless malware’ spiked on Google earlier this year, and continue to rise. (This Google trend was initially reported on Lenny Zeltser’s Blog.)

The main issue is that hackers are able to easily elude standard detection tools when lurking within an organization’s memory. Accordingly, the process that companies must undertake to defend themselves accordingly (detection, investigation, and finally, remediation), is often an arduous and costly one.

Yet in investigating any attack, accurate attribution is key. Security teams must find out who entered the system, where they gained access, and what exactly has been compromised as a result.

It’s Although a standard system reboot would wipe an organization’s entire memory–including any Fileless Malware–the servers of large organizations such as banks, healthcare and insurance companies and industrial networks are so infrequently restarted that this remains a worthwhile approach for hackers.

Here are a few chilling industry examples:

• Instructions to illegally withdraw $951 million from Bangladesh Bank were issued through the SWIFT network.You’ve likely heard about this particular heist, which resulted in $80 million being actually stolen from the bank–and the attackers had only changed two bytes within the bank’s system memory. It was discovered thanks to a spelling mistake made by the hackers on the online bank transfer instructions, not by any cyber security tool.
• Another recent example of Fileless Malware comes from the ransomware field. Researchers have discovered a new fileless ransomware called Sorebrect, which injects malicious code into a legitimate system process on a targeted system and then self-destructs from the disk in order to evade detection–remaining only in an organization’s memory.
• Consider an ATM attack that took place in Russia. In a single night, hackers were able to steal $800,000 from an unassuming bank using a Fileless Malware that resided solely in the memory of its infected ATMs. The attacker’s assumption here was that ATMs’ RAM are not being checked and that certainly the ATM network won’t be rebooted, in order for the bank to avoid service disruption for its customers.

Memory, of course, isn’t readily accessible in the way that files on disk are; code stored within the memory must be dumped so that it can be examined. Memory forensics tools like Volatility and Rekall can help with analyzing memory and dumping the executed code from it. The bad news is that these kinds of memory forensics tools are known to hackers, who have become adept at developing malware capable of avoiding detection. Since these tools are typically also open source, hackers have an unfair advantage in that they can easily discover precisely what they’ll need to evade detection. Those frameworks require lots of time and attention from top experts in order to put their hands on the suspicious fileless code.

Even if a security team is able to acquire the code from memory, it’s still extremely hard to investigate it. The most common investigation tools are useless when dealing with code from memory. When code is loaded to memory from a file, it changes in order to be executed; in other cases, it’s injected directly into memory. In both cases, those code dumps can’t be investigated with the common malware analysis tools out there. Sandboxes and other behavior analysis products are completely useless since there’s nothing to execute, and hash-based threat intelligence, file reputation and IoCs databases can’t be used since the file’s hash changes in memory.

With a million new malware samples emerging daily–and increasingly more advanced and sophisticated attacks–the threat is real. The requisite response is equally intricate. Security teams must regain the element of surprise.

It may not be quite as impossible as it seems. At Intezer, it’s our mission to help organizations combat these threats. It’s why we’ve built technology to dissect such threats down to the gene level, uncovering problematic code that otherwise would remain hidden in memory. When it comes to fileless malware, we’re dedicated to giving security teams the upper hand.

About Intezer:

Intezer has developed novel technology in the form of two disruptive cyber security products: Intezer Analyze™ and Intezer Immune™ – the only solutions to apply biological immune system concepts to cyber security. Through its ‘DNA mapping’ approach to code, Intezer provides enterprises with unparalleled threat detection that accelerates incident response and eliminates false positives, while protecting against fileless malware, APTs, code tampering and vulnerable software.

Research Team

For A Stronger Cyber Immune System