Fileless malware (FM) is a growing threat to all networks. FM doesn't discriminate; it quietly infects enterprise systems, small businesses, and home users with the same ease. At the enterprise level, FM requires the use of both, sophisticated techniques and user education and to protect systems against cyber-criminals.
An updated banking trojan, the Osiris Banking Trojan, which is an upgraded version of the Kronos Banking Trojan, uses two fileless techniques. These two techniques make Osiris more challenging to detect on machines using standard antivirus software. Osiris' added features and enhanced functionality allow cybercriminals to gain remote access to financial customer profiles. This update allows Osiris fileless malware to be more effective in stealing funds.
According to SentinalOne, fileless malware intrusion detections have increased 94 percent over the past year. Fileless malware operates partly or entirely from the computer's memory without placing malicious executables on the underlying file system. Initially introduced to the machine through Phishing or SpearPhishing, it can bypass the file system by loading and executing malicious code directly in memory.
Once FM is introduced, it can store malicious code in the registry, or use system administration tools such as PowerShell to save state and relaunch on your next startup. Most antivirus programs scan your filesystems for known files. This method of checking for malware is unable to detect FM on victim machines since there are no files created by the malware.
There are two primary fileless techniques, Process Hollowing, and Process DoppelgÃ¤nging. These two techniques enable fileless malware to compromise legitimate software as it infects your system. One of the techniques, Process DoppelgÃ¤nging, which became public in December 2017, affects all versions of Windows and bypasses almost all antivirus software. Process Hollowing occurs when a process is created in a suspended state, after which its memory is unmapped and replaced with malicious code.
At the enterprise level, protecting systems requires monitoring system behavior, securing administrative tools, and adopting advanced network event collection and adding visualization technologies.
It's necessary to add security solutions which do not rely solely on file system activity. Adding solutions which also conduct behavior monitoring, memory scanning, and boot sector protection can help to protect networks from fileless attacks.
We know that fileless attacks have used administrative tools already present in a victim network, including PowerShell, in various ways during cyber operations. Securing and monitoring the use of such tools could reduce cyber actors' ability to exploit them in conjunction with fileless malware. Adding Security Incident and Event Management (SIEM) technologies which aggregate, store, visualize, and create automated reports and alerts based on customized queries is also a good way to visualize the activities on your network. Making these changes will allow you to find and fix corrupted systems.