As a senior executive for a malware analysis and detection provider, I get asked one particular question quite often: “can your solution protect against fileless malware?” It’s a confounding question in many respects and one that requires some amount of clarification as to what types of threats they consider to be fileless? By the strictest definition of a true fileless attack, no actual files are utilised as part of the attack. However, the vast majority of attacks that are labelled as ‘fileless’ do rely on files at some key steps in the infection cycle.
In the broadest sense, a fileless attack describes any technique that circumvents the need to download malicious, executable files -- at one or more stages -- by manipulating exploits, macros, scripts, or legitimate system tools instead. Once compromised, these attacks also abuse legitimate systems as well as root-level admin tools and processes to gain persistence, elevate privileges, and spread laterally across the network.
As @VessOnSecurity noted on Twitter earlier this month: “Calling ‘fileless’ malware that uses documents or scripts is like calling ‘penniless’ somebody who has several credit cards but no coins in their wallet. Worse, probably.”
It’s important to convey that this distinction is more than just splitting semantical hairs. Because the term fileless has been misapplied and misunderstood to such a degree, there remains a great deal of confusion and unnecessary distraction among security leaders about how to best prepare and mitigate these types of threats.
What follows are four of the most prevalent myths surrounding fileless attacks and a brief explanation as to why they are largely unfounded.
The 4 most common fileless myths
- Myth 1: A fileless attack and fileless malware are basically the same thing
It’s easy to see why people conflate a fileless attack with fileless malware. While a variety of techniques are labeled as “fileless”, it doesn't mean the malware or an entire attack won’t rely on executable files at some stage. For example, a malicious website could include components of a fileless attack – rather than clicking on a link and it downloading the payload to your hard drive, the website could take advantage of a browser exploit to run code in your computer’s memory without ever dropping a file on disk.
Moving forward, we're likely going to see a similar trend for conventional attacks, be they phishing campaigns, e-mail spoofs, or Man in the Middles (MiTM), where some element of the attack vector includes malicious code that leverages a fileless technique such as running in memory or Living Off the Land Binaries (LOLBins) abusing trusted admin tools such as PowerShell or WMIC to essentially hide in plain sight.
- Myth 2: Fileless attacks never involve files
Microsoft recently published a very broad and somewhat controversial taxonomy of fileless threats which organises the existing universe of these threats into three broad categories:
As demonstrated in the above graphic, the threats noted as Type II and Type III either require files to establish persistence or use files in some indirect manner. Interestingly, according to this broad definition, Microsoft doesn’t consider the registry itself to be a file which is not technically correct since the registry is stored in files. Consequently, it’s really only in this first tier of threats which is often predicated on low-level access to a system’s hardware that we see attacks that don’t require a file. Thus in reality, the vast majority of so-called fileless attacks do rely on files to either deliver their malicious payload and gain persistence across the various stages of a fileless attack.
- Myth 3: Fileless malware is a growing and pervasive threat
Fileless attacks are hardly a new or emerging threat. In fact, they’ve been around for decades, with virus authors using similar techniques dating back to the 1990’s. However, if you regularly scan security news headlines, you would likely be forgiven for thinking that fileless threats are the next big thing on the threat landscape. Look no further than this August 2019 TrendMicro press release promoting their latest research report (“Evasive Threats, Pervasive Effects” which highlighted a “265 per cent Growth in Fileless Events” front and centre in the headline of their announcement. Since the researchers of this particular survey don’t distinguish between true and partial fileless attacks, it’s hard to make a substantiated declaration as to whether a significant uptick in true fileless attacks are really being perpetrated or if more likely, attackers are becoming more adept at selectively applying fileless techniques.
- Myth 4: Fileless malware is very difficult if not impossible to detect
Genuine fileless malware attacks which either run in-memory or on the hardware itself are indeed very challenging to detect since no signature or file exists to check against. However, given that pure fileless attacks remain relatively sophisticated they mostly represent an edge case. Since the bulk of fileless attacks do require some type of file or data being written to disk at one or more stages of an attack, they can be effectively detected and remediated if you are using the right tools and know what to look for.
Advanced detection techniques such as sandboxing along with behavioural analysis can be highly effective in detecting the majority of hybrid fileless threats.
While true fileless attacks are the exception and not the rule, they do point to a growing trend of new adaptive techniques that threat actors are adopting to avoid detection and gain persistence. As the industry has improved its ability to detect malicious files, there’s little doubt that hackers will find creative ways to exploit legitimate system and network tools to their advantage.
Chad Loeven, President, VMRay