In a recent Carbon Black analysis of more than a thousand customers, which included more than 2.5 million endpoints, virtually every organization has been targeted by a fileless attack in 2016.
Viscuso says that fileless attacks make a lot of sense for the attackers. "I spent ten years as an offensive hacker for the US government, with the NSA and CIA," he says. "So, I approach most conversations from the attacker mindset."
From the attacker's perspective, installing new software on a victim's computer is something that's likely to draw attention. "If I don't put a file on this victim's computer, how much scrutiny do you undergo?" Viscuso asked. "That's why it's so much more damning when an attacker chooses to use a fileless or in-memory attack. They undergo far less scrutiny and are far more successful in their attack."
There's no loss of capability, Viscuso adds. "The payloads are exactly the same." For example, if the attacker wants to launch a ransomware attack, they can install a binary file, or they can use PowerShell. "PowerShell can do everything that a new application can do," he says. "There are no limitations in the attacks I can conduct in memory or with PowerShell."
McAfee is also reporting an increase in fileless attacks. Macro malware, which accounts for a significant chunk of fileless malware, increased from 400,000 at the end of 2015 to over 1.1 million during the second quarter of this year. One of the reasons for the growth is the emergence of easy-to-use toolkits that include these types of exploits, says Christiaan Beek, lead scientist and principal engineer on strategic research at McAfee LLC.
As a result, the use of fileless attacks, which was previously mostly limited to nation states and other advanced adversaries, has been democratized, and is now common in commercial attacks as well. "The cybercriminals have taken this over to spread ransomware," Beek says.
To combat these attacks, McAfee and other major antivirus vendors have been adding behavior-based analytics on top of the traditional signature-based defenses. "For example, if Word is executed at the same time as we see a PowerShell connection, that's highly suspicious," he says. "We can quarantine that process, or decide to kill it."
How fileless attacks work
Fileless malware leverages the applications already installed on a user's computer, applications that are known to be safe. For example, exploit kits can target browser vulnerabilities to make the browser run malicious code, or take advantage of Microsoft Word macros, or use Microsoft's Powershell utility.
"Software vulnerabilities in the software already installed are necessary to carry out a fileless attack, so the most important step in prevention is patch and update not only the operating system, but software applications," says Jon Heimerl, manager of the threat intelligence communications team at NTT Security. "Browser plugins are the most overlooked applications in the patch management process and the most targeted in fileless infections."
Sign up for Computerworld eNewsletters.