Nowadays, cybercriminals seem to prefer Fileless Malware Attacks on organizations. Most malware attacks can be detected, blocked and removed using malware removal tools or applications. However, Fileless Malware Attacks are non-malware attacks that utilize legitimate existing programs and applications and are hence able to bypass most endpoint protection systems. Further, the malware resides only in the computer’s memory which makes it even more difficult to detect.
How a fileless malware attack takes place
When a user visits a website Flash software gets loaded. This Flash now activates PowerShell – a legitimate Windows tool. Malicious commands loaded on to the memory now connect to a command and control (C&C) server and it downloads a PowerShell script. This script stealthily steals sensitive information such as passwords of users with administrative privileges. PowerShell scripts are used as a malicious service in this case. The Windows’ NETSH utility is then used for building tunnels and to obtain passwords. The stolen data is then sent to the C&C server.
The malicious script allows the attackers to gain control of the computer/device. They are able to control web browsers and other applications – which allows them to access and steal data across the network. However, when the computer is shut down and restarted, the malicious files residing in the memory of the computer disappear. This makes it very difficult to investigate how the attack took place. In many cases, the IT security does not suspect or know where to look for when these attacks take place.
The fileless malware has been used to target more than 100 financial entities (banks), telecommunication companies and government organizations across the globe. The cybercriminals transferred money from the banks’ accounts and moved data using legitimate tools, which made it very difficult to detect. The malware used in these latest attacks had been discovered in the physical memory of the domain controller of a bank. These attacks were used to take money out of ATMs and bank accounts. The U.S., the U.K., France, Kenya, and Ecuador were the countries that suffered most of the attacks.
How to prevent fileless malware attacks
1. Patch Management
Keep your operating systems and other applications regularly updated with the latest patches. Using a patch management would be a better option.
2. White-listed Applications
Allow users to use only white-listed applications on their endpoints, especially in the case of BYOD.
3. Endpoint Security
Install a robust endpoint security that is capable of monitoring all file activity for unusual behavior – in real-time. This is very important as some malware look harmless when they are inactive. But their behavior would show its true intentions when active.
4. Privileged Access
Restrict user access to applications on a “need” basis. Access to administrative tools must be restricted.
An effective endpoint security with default-deny protection and real-time behavioral analysis would be the most potent protection against fileless malware attacks.