Fileless malware and living off the land attacks

What is fileless malware?

Fileless malware is a type of malicious software that infiltrates a computer's random- access memory (RAM) and disrupts the system using living off the land (LOTL) techniques. Unlike traditional malware, which relies on malicious files being downloaded and written to the hard drive for execution, fileless malware operates directly from the system memory, leaving no traces on the hard disk. It camouflages itself within legitimate system processes, maintaining persistence on the compromised system while evading detection by security solutions.

What are LOTL attacks?

A LOTL attack is a fileless malware attack that leverages built-in system tools and operations to maintain persistence within a network and move laterally, all while evading detection. These attacks typically involve whitelisted tools, such as PowerShell and command prompt (CMD), which are used for administrative tasks, as well as Windows components like the Windows Registry and WMI. Since these attacks use legitimate, native Windows tools that are often overlooked by security solutions, they are referred to as LOTL attacks.

Types of fileless malware

Fileless malware can be categorized into two major categories based on where the malware resides.

1. Memory resident malware
2. Registry resident malware

Memory resident malware

As the name suggests, this type of fileless malware resides in the computer's RAM. It typically enters the system through exploit kits or rootkits delivered via malicious links. Exploit kits are collections of exploits targeting potential vulnerabilities in the system, while rootkits are a set of malicious scripts and programs. Exploit kits inject the exploits directly into the computer's memory, while rootkits embed malicious code into the computer's kernel. Since there are no traces of invasion on the hard disk, the malware easily bypasses detection by anti-malware solutions.

Registry resident malware

This type of fileless malware resides in the Windows Registry, which is the database used by the operating system to store configuration settings for hardware and software. The malware enters the computer using a dropper program, which involves the execution of a self-destructing file. Upon execution, malicious code is injected into the Windows Registry, and the associated file is destroyed. Since the malware is embedded within a native program, it evades the scrutiny of anti-malware solutions.

Fileless malware: How it works

Here is an outline of how a fileless malware attack is carried out.

• Fileless malware gains initial access to a system and executes its code using either a memory-resident method or a registry-resident method.
• After execution, the malware navigates the system for lateral movement and persistence.
• In the memory-resident method, it might run alongside system processes and remain active as long as the computer is running.
• In the registry-resident method, it could be programmed to launch alongside critical Windows processes from the registry.
• In both the methods, fileless malware leverages critical Windows tools to execute the attack.

Windows tools exploited by fileless malware or LOTL attacks

Here is a list of native Windows tools leveraged during LOTL attacks:

1. PowerShell

Attackers leverage PowerShell to execute remote code that runs in the system's memory. It is used to run malicious commands, download malicious code from a remote server or command-and-control server, obfuscate scripts to evade detection, and run scheduled executions that run alongside the Windows Task Scheduler.

2. Command prompt

Similar to PowerShell, command prompt is also exploited by attackers to execute malicious code without writing to the hard disk. Attackers use command-line utilities, such as certutil.exe, to download files that can be executed directly from memory, evading detection by security solutions. CMD can also be leveraged to exploit WMI, enabling the execution of malicious batch files whenever the system is started or rebooted.

3. Windows Management Instrumentation

WMI is another important tool used in LOTL attacks, primarily to propagate the attack across the network. WMI creates a channel that allows attackers to spread the attack and execute codes on remote systems via PowerShell. It is also used to exfiltrate and transmit confidential data from the target system to an external command-and-control server. By leveraging WMI, attackers can also manipulate the system's security settings and disable the Windows Defender process, effectively hiding forensic traces of their activity.

4. Windows Registry

The Windows Registry stores the configuration details of various programs and processes that reside on Windows systems. This information is stored in the form of registry keys, which contain the registry entries for programs like PowerShell, WMI, Task Manager, and more. By leveraging the Windows Registry Editor, attackers can modify these entries and manipulate the system to execute malicious scripts whenever a program is called to run. Since the Windows Registry is a native database, it is not subject to scrutiny by security tools, and the executions remain unflagged.

5. Microsoft Office macros

Macros are typically sets of code that allow users to automate repetitive tasks in Microsoft applications such as Word, Excel, and PowerPoint. Attackers leverage these macros to inject malicious code into Word documents, Excel sheets, or PowerPoint slides. Whenever a user opens these files, the macros are executed automatically without spawning any suspicious processes. Since the attack is carried out via seemingly harmless documents, it remains inconspicuous and undetected for an extended period.

Examples of fileless malware

Here are some notable examples of fileless malware attacks:

The Dark Avenger

First discovered in 1989, The Dark Avenger is considered a precursor to modern fileless malware attacks. This fileless malware resided in the system's memory, although it initially gained access via downloadable files. It targeted executable files and was activated whenever a file was executed.

Frodo

This fileless malware is considered as another precursor to fileless malware technology. Alleged to be a type of virus, Frodo was a memory-resident malware that operated within the compromised system's memory and infected files stored on the hard disk.

Poweliks

Poweliks is a registry-resident malware that resides in the Windows Registry and targets registry keys. It gains initial access through a dropper program, which directly injects the malicious code into the Windows Registry.

Duqu 2.0

Duqu 2.0 is a memory-resident, fileless malware that gains initial entry by exploiting the zero-day vulnerability CVE-2014-4148 in Windows systems. This vulnerability allowed the malware to exploit a flaw in the TrueType font handling in Windows, enabling remote code execution. Duqu 2.0 was first reported in 2015 by a prominent security vendor after it leveraged the vulnerability to compromise domain controllers within the vendor's network.

How to detect and prevent fileless malware or LOTL attacks

Fileless malware attacks are often off the radar of conventional anti-virus and anti-malware solutions. Traditional approaches to detect and mitigate malware are no longer compatible with sophisticated LOTL attacks. Therefore, it is crucial to switch from the conventional approach of tracking IoCs to an advanced approach of identifying IoAs. The IoAs detect an attack while it is in progress, compared to the IoCs that identify in issue after the attack has been executed.Monitoring the system for abnormal activities that indicate an attempted breach might help SOC teams take proactive measures before the malware reaches its goal. Below is a list of IoAs that could indicate a fileless malware attack.

• Increase in CPU and RAM usage: Unusual spikes in CPU and RAM usage during the execution of PowerShell or WMI processes.
• Unauthorized changes to the Windows Registry: Creation, modification, or deletion of registry keys without proper authorization, which might suggest an attempt to manipulate the registry entries.
• Abnormal usage of LOTL tools: Increased usage of legitimate system tools such as PowerShell and WMI for remote code executions.
• Suspicious PowerShell or command line executions: Execution of PowerShell scripts or command-line actions that invoke system processes or network activities without any file written on the disk.
• Unauthorized deletion of event logs: Deletion or tampering with Windows event logs and security logs, especially those related to the use of LOTL tools.
• Abnormal network traffic: Unusual traffic patterns, including an increase in inbound and outbound communications with suspicious IP addresses or geo locations, which could be indicative of data exfiltration or command-and-control activity.
• Anomalous privilege account activities: Unusual administrative account logons and privilege account activities that involve file tampering, audit policy changes, and unauthorized access.

Fileless malware FAQs

Is fileless malware a virus?

No, fileless malware is not a virus and does not replicate itself. Instead, it spreads across the network by exploiting legitimate Windows tools.

What are the symptoms of fileless malware?

Symptoms of a fileless malware attack includes anomalous system activities, such as suspicious process executions that take place without the execution of an actual file that can be combined with registry changes. Others signs can involve the increased use of PowerShell and WMI, and unauthorized privilege escalations.

How does fileless malware spread?

Fileless malware spreads by carrying out remote code executions on multiple systems, by leveraging native tools like PowerShell and WMI.

How do you stop fileless malware?

Employing advanced security solutions like SIEM and UEBA, instead of conventional antivirus solutions, helps prevent fileless malware attacks.

What are the famous fileless malware attacks?

• Frodo
• Duqu 2.0
• The Dark Avenger
• Poweliks

Related solutions

ManageEngine Log360 is a comprehensive SIEM solution with advanced fileless malware detection and mitigation capabilities. Log360 stands out as one of the best solutions to defend LOTL attacks with these powerful features:

• Suspicious process hunting: The Incident Workbench in Log360 helps identify and map suspicious process creations and associations, one of the important LOTL indicators of attack.
• Windows Registry monitoring: Log360 provides out-of-the-box reports on unauthorized Windows Registry changes such as creation, deletion or modification of registry keys that indicate fileless malware activity.
• Comprehensive user monitoring: Log360's advanced UEBA capabilities track anomalous user activities and helps flag suspicious privilege escalations. It also assigns risk scores to users based on abnormal behavioral patterns that help identify compromised accounts and its activity.
• Proactive threat detection: Log360 provides predefined correlation rules to identify LOTL attacks in real time. You can also create custom correlation rules to create new rules to cater to the security needs of your network.

To explore more, sign up for a personalized demo of Log360. Or, you can discover its powerful capabilities with a fully functional, 30-day, free trial.