Fileless malware is a form of cyberattack where the malicious software that enters your computer system resides within volatile storage components such as RAM. It is distinguished from traditional memory-resident malware that generally required access to your hard disk before it hid itself away in memory. Due to its ability to camouflage itself solely in a computer’s memory without writing any trace to a hard disk, it can then remain undetected by standard antivirus detection programs.
Memory-resident viruses have been with us since the 1980s when Fred Cohen demonstrated the Lehigh virus. However, this type of cyberattack is different to the relatively new form of threat called fileless malware, which only resides in RAM or other temporary storage components and does not write any data to the hard disk. One of the most famous variants of fileless malware was the Stuxnet virus that was used to infiltrate and significantly damage to Iran’s nuclear program.
Fortunately, most fileless malware will not survive a system reboot, so if there is any chance that you are infected, this stealth malware can be removed by simply switching off your device. Unfortunately, an enhanced attack surface appears on mobile cellphones that are not regularly rebooted.
Kaspersky Lab has identified over 140 enterprise networks across the globe in over 40 countries. Key target institutions are banks, government organizations, and communication service providers. Fileless malware often uses PowerShell scripts, which reside in the Windows registry, to implant their malicious payload. As PowerShell resides on every single Windows system, the attack surface for hackers using this protocol is virtually limitless. Other antivirus companies such as Symantec and Trend Micro have also identified fileless malware attacks as an increasing threat to governments and business.
Fileless malware infection is normally triggered through visits to malicious websites where targets click on selected links and download the fileless payloads. Another mechanism is through macro scripts initiated by users themselves such as those attached to Microsoft Word and Excel files. Social engineering plays a critical role in attracting marked targets to specific sites where the malware can be transferred smoothly and seamlessly.
In addition to alerting computer users to the increasing vulnerability from social media, there are other security measures that can be adopted by individuals and organizations alike. These include immediate patching of operating systems, disabling unnecessary macro functionality, and the monitoring of unusual network activity. Behavior analysis has become a more important aspect of network security, particularly with the growth of cloud, IoT, and remote computing. Such a multi-layer approach to network development means that network security must become smarter and more adaptable. We can all expect to see further security defenses such as biometric authentication and micro-data segmentation as part of our online experience. In addition, greater involvement and development of artificial intelligence approaches can also be expected.
Fileless malware is a growing threat to the security of hundreds of millions of computer users around the globe. It is stealthy, and insidious, and difficult to identify and destroy. But there are ways of tackling the threat ranging from simple measures such as avoiding suspicious websites or emails to the implementation of sophisticated heuristic computer analysis. One thing is for sure—we can expect to hear more about this camouflaged computer killer.
Read more about fileless malware in a special Allot Threat Bulletin Report: Fileless Malware—The Stealth Attacker.