Fileless Malware: Invisible, Unattributable — and Now Mainstream
By BUFFERZONE Team, 25/04/2017
For decades, cyber criminals around the world have specialized in staying out of sight. Indeed, savvy hackers are spending more than 200 days inside a breached system before discovery — and most of them are flushed out by third parties. However, there is an emerging scourge on the cyber threat landscape that is taking this disappearing act to a more worrisome level: fileless malware.
How Fileless Malware Works
As the ominous term suggests, fileless malware does not rely on files to breach endpoints or networks. Instead, the infection is carried out in RAM, which renders the attack challenging for traditional antimalware and antivirus products. There are different ways malware can hide:
• Memory Resident, which loads code into the memory space of a legitimate Windows process, and remains in-memory.
• Rootkits, which typically reside in the kernel and mask their presence behind a user to gain administrator access. Because a file exists on the disk but is in stealth mode, this type of malware is difficult to detect and remove, and persists regardless of scans or reboots.
• Windows registry-based attacks, which breach an endpoint through a static binary; often an email attachment. Once clicked, the malware implants code into the Windows registry, and then deletes itself to avoid detection.
Shifting Gears from Political to Financial
The concept of fileless malware is not original. Two years ago, this type of threat was identified as the mechanism for Duqu 2.0, a derivation of the sophisticated worm Stuxnet. However, what is new and ringing alarm bells in 2017 is the fact that this type of threat is not just being used by nation states to carry out their agendas. Now, it has evidently captured the attention of financially motivated cyber criminals.
According to research by Kaspersky Lab, at least 140 banks, government organizations and enterprises have been attacked by fileless malware. The as-yet-unnamed victims are located across the world, with the greatest number of attacks so far targeting victims in the US, UK, Israel, Russia, Saudi Arabia, France, Egypt, Brazil, Ecuador, Tunisia, Turkey, Uganda, Kenya, Morocco, and the Vatican.
Naturally, the fileless malware combination of “extremely difficult to detect” plus “difficult to attribute” is the stuff that keeps InfoSec professionals awake at night. But it is especially problematic for those in the banking and financial services sector, where organizations are under increasing pressure from lawmakers and customers to prevent attacks rather than detecting them (or more likely as noted above: have a persistent attack revealed by a third party). In fact, the threat to banks is so pressing that in some jurisdictions, physically separating sensitive assets on the network from the internet is a regulatory requirement.
However, while physical separation (i.e. air gaps) makes sense in theory, in many cases it is impractical in reality. Not only is it excessively — if not prohibitively — costly for many organizations to maintain two networks, but forcing employees to switch back-and-forth throughout the day between two systems – one isolated, and on facing the public internet — is a non-starter, as it severely diminishes productivity and degrades user experience.
The BUFFERZONE Solution
BUFFERZONE is an effective, practical and cost-effective defense against fileless malware. This is because all processes that are injected by a website or email attachment run completely within a virtual container, and therefore cannot reach the endpoint to access confidential files, or migrate to the network and launch a full-blown campaign. And just as importantly, an operating system exploit that sneaks its way on the endpoint outside of the protected browser (such as through a portable storage device) will not be able to contact the Command and Control server. Instead, BUFFERZONE’s Password feature will recognize it as invalid and automatically sound the alarm.
“What Will They Think of Next?”
In many cases, innovation is a positive development that should be encouraged. Unfortunately however, cyber criminals are interested in improvement as well, and the mainstream use of fileless malware is one of the latest examples; and it most certainly will not be the last. And so, the question that all organizations must ask — but especially those in the banking and financial sector — is “what will they think of next?” Virtual container technology is a smart and proven way to increase their chances that organizations will answer this question as interested observers, rather than as plundered victims.