Why Fileless Malware Will Continue Its Rapid Expansion
The idea of fileless malware has received a lot of attention lately, and with good reason. In its relatively short life, fileless malware has successfully infiltrated a number of financial and other institutions that are generally thought of as being very secure, and at least some of the alleged U.S. presidential campaign tampering is attributed to fileless malware. In fact, numerous organizations have reported a heavy increase in its presence during recent months.
Any new malware variant will cause a stir if it’s successfully disrupting our lives, at least until vendors patch vulnerabilities and antimalware tools can detect it. Once under control, the attention given to most malware quickly subsides. But in the case of fileless malware, for many organizations, there will be no quick resolution. We are in this one for the long haul.
Recently, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) warned: “The NJCCIC assesses with high confidence that fileless and “non-malware” intrusion tactics pose high risk to organizations, both public and private, and will be increasingly employed by capable threat actors intent on stealing data or establishing persistence on networks to support ongoing espionage objectives or to enable future acts of sabotage.”
No Detectable Files
Fileless malware is malware that resides and operates completely within RAM, and does not generally place malicious executables on the file system. I say “generally” because the term has evolved to include scenarios where malicious code stores objects temporarily on disk and deletes them once loaded into memory. It also includes cases where malware stores components in the Windows configuration database, or registry. But in general terms, fileless malware has no detectable files traversing the network or stored on a drive.
Why it Will Keep Expanding
So why is fileless malware so dangerous, and why will it continue to expand for the foreseeable future? In simple terms. It works. Although there are a lot of good malware detection systems that are capable of detecting and controlling fileless malware, most are not. Like everyone else, cybercriminals will usually take the path of least resistance, and since fileless malware successfully defeats most security controls, it is rapidly becoming the attack methodology of choice. Its success is due to a number of factors:
- It’s stealthy – Most malware detection technologies work by evaluating files. Without files to analyze, they are helpless to detect the malware. Because fileless malware resides entirely in RAM, most security controls can’t even see it, yet alone analyze it.
- There are no signatures to detect – Most malware detection tools still depend on and look for known malware signatures within objects and files. Since these products are ineffective against file-less malware, vendors of such tools need to adopt new technologies that are fundamentally different from existing products—requiring completely new designs.
- Static analysis doesn’t work – A number of malware detection tools hunt for malware by detecting structural or other abnormalities in files. These tools suffer from the same problem as signature-based technologies—there are no files to evaluate.
- RAM is the ideal location for malware – Since you can run an entire operating system inside of RAM, it’s easy to see why it is attractive for malware authors. Executing malicious code in the memory of a system that doesn’t shut down or reboot for extended periods of time is an ideal situation.
- It’s very profitable for cybercriminals – It takes a great deal of time to develop new malware. To maximize their return on investment, crooks look for malicious technologies that can’t be easily defeated. Fileless malware is fundamentally different, and a lot of time will pass before most organizations can effectively respond to it.
Although there are technologies that effectively detect and mitigate fileless malware, the majority of organizations don’t have it. That, combined with the strong economic factors driving cybercriminals to aggressively adopt and use it, unfortunately, means that fileless malware will continue its rapid expansion for the foreseeable future.
Organizations must be even more aggressive than cybercriminals, and adopt the technologies they lack in order to protect themselves from the fileless attacks that are surely coming.