Stopping Fileless Malware: Behavioral Analytics and Machine Learning- Exabeam

The New Breed of “Fileless Malware” and How It Can Be Stopped with Behavioral Analytics and Machine Learning

Published
February 21, 2019

Author
Pramod Borkar

Read about the new genus of malware that breaks the rules of traditional detection and defense methods. Called fileless malware, it's unlike other breeds of malware that require the installation of software on a victim’s machine. According to the Ponemon Institute, it accounts for 35% of all cyberattacks in 2018.

A new genus of malware has emerged that breaks the rules of traditional detection and defense methods. Unlike other breeds of malware that require the installation of software on a victim’s machine, fileless malware infects a host computer’s dynamic memory, or RAM. Fileless malware attacks can also hijack Windows, essentially turning the power of the OS against its own users by using common tools like PowerShell (which is integrated into Windows 8) for its malicious activities.

What are the steps of a fileless malware attack?

Beginning with a phishing email, a visit to a malicious website, or the use of an infected USB flash memory stick, fileless malware scans the machine looking for vulnerabilities—whether it’s unpatched Flash or a Java plug-in, or almost any process that involves PowerShell.

Malicious websites may also download Flash or Java onto a user’s machine. The payload then begins executing the attack by using the dynamic memory of the user’s computer, such as leveraging browser processes. (See Figure 1 for more information on the steps of an attack.)


fileless malware
Figure 1- The steps of a fileless malware attack

The growth of fileless attacks

According to research by the Ponemon Institute, fileless malware attacks accounted for about 35 percent of all cyberattacks in 2018, and they are almost 10 times more likely to succeed than file-based attacks.

Although fileless malware doesn’t yet have the notoriety of ransomware and other attack vectors, fileless attacks nevertheless can pose a major threat—and they’re evolving, according to a 2017 report by Malwarebytes.

A  Ponemon Institute data breach report cites that fileless malware attacks account for about 35 percent of all attacks in 2018, and they’re almost ten times more likely to succeed than file-based attacks.

Threats entering your network undetected

What lets these attacks fly under the radar is that they don’t write to your disk. Instead, the malware lurks in memory using hiding places such as PowerShell (widely used by system administrators to automate tasks), Visual Basic (VB) scripts, and Windows Management Instrumentation (WMI).

This makes fileless attacks very difficult to detect since typical anti-malware programs only scan for malicious files, which are then flagged for removal. But that strategy fails when there’s no file on a system. Lack of cookie crumbs (aka remnant code) also makes it tough for security teams to analyze the malware behavior later.

In addition, bad actors are equipping fileless malware with new abilities. These not only enable such attacks to evade detection, but their payloads can also deliver advanced infections. One concern for enterprises is that fileless attacks are borrowing the propagation and anti-forensic techniques seen in the complex nation-state attacks.”

Powerful payloads and persistence

Persistence is one area where such added tactics, techniques, and procedures (TTP) are having a greater impact. With potentially many months needed to remediate an attack, imagine how much critical data an attacker could drain from your network during that time.

In one case, hackers used an obfuscated PowerShell infrastructure to drop fileless malware on targeted computers, which in turn fetched payloads from a command-and-control server. This created a very effective advanced persistent threat (APT) that allowed the attackers to operate undetected for half a year, with data being exfiltrated all the while. And because a trusted program executed the commands, security staff and the tools they used all assumed the commands were legitimate.

One roadblock to their persistence is that fileless malware lives in dynamic memory. In theory, regular system reboots should flush it. But today’s craftier cybercriminals have even devised ways for their code to linger after a reboot.

Cutting-edge tools to fight a cutting-edge threat

Since this new breed of malware can evade traditional detection tools and techniques, it’s critical to look beyond signatures, prewritten rules, disk scanning, and the like. Instead, what if you could track the activity of those having administrator and super user privileges to detect anomalous behavior? (Remember these account credentials are just as susceptible to being hacked.)

Perhaps one such user uncharacteristically accesses different databases or systems in sensitive areas such as HR or finance. That could be an indicator of compromise (IoC). By automatically and swiftly alerting your incident response (IR) team, you could remediate the threat before the damage has been done.

User and entity behavior analytics for fileless malware threat detection

Rather than looking for malicious files, detecting anomalous behaviors or entities can indicate the presence of malware. User and entity behavior analytics (UEBA offers the best solution. Unlike conventional security monitoring tools that scan disks and use signatures or rules—which is useless in detecting fileless malware—behavioral modeling and machine learning offer the best opportunity to identify anomalous and suspicious user and entity behaviors.


fileless malware
Figure 2: An Exabeam Advanced Analytics, User Incident Timeline, showing anomalous and abnormal behaviors stitched together to find a threat

UEBA can monitor user activity as well as the behavior of applications and services. This includes inter-process communications, unauthorized requests to run applications, changes made to credentials or permission levels, and other uncharacteristic behavior. UEBA’s automated, around-the-clock monitoring can alert your security team of a fileless malware attack.

Learn more on how behavioral modeling and machine learning can stop the damage of fileless malware attacks, using Exabeam’s Advanced Analytics.

Recent UEBA Articles

Insider Threat Examples: 3 Famous Cases and 4 Preventive Measures

Read More

An Outcome-based Approach to Use Cases: Solving for Lateral Movement

Read More

What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

Read More

Using Advanced Analytics to Detect and Stop Threats [White Paper]

Read More

Understanding Insider Threat Detection Tools

Read More



Recent Information Security Articles

Expand Coverage Against Threats with Exabeam Content Library and TDIR Use Case Packages

Read More

Demystifying the SOC, Part 2: Prevention isn’t Enough, Assume Compromise

Read More

How Attackers Leverage Pentesting Tools in the Wild

Read More

The Differences between SIEM and Open XDR

Read More

Why I Joined Exabeam

Read More

Exabeam Growth and the Opportunity Ahead

Read More