Fileless malware is also capable of exploiting the vulnerabilities of a system through its administrative privileges. Once it has gained topmost access to a system, PowerShell may be used to execute a series of hidden commands. These commands vary depending on the attacker’s intended goal, as well as the length of time in which the attack will take place. Due to the fact that these infections do not depend on endpoints to sustain their connectivity, the window of availability to execute commands is unknown as the system could be rebooted at any point of time.
Because the attack resides in memory, however, means that it is only halted and could lead to threat actors planting registry entries in support of ongoing attacks. This is also done by setting scripts to run even after a user restarts the system. Fileless malware is difficult to detect because it uses the system’s own commands to execute attacks, confounding antivirus (AV) programs by hindering them from generating signature definitions based on their own characteristics. This, of course, is due to the fact that no payload is used to infect the system.
Financial institutions are prone to these types of infections due to the stealth and minimal footprint of fileless malware. There have been reports of several threat actors pairing fileless malware with other cryptographic modules to make it even more difficult to protect against these types of attacks.
But increased usage of fileless malware doesn’t make it more detectable; in fact, the exact opposite occurs. Even with awareness made possible through reporting, detection rates are very low, especially as it relates to remotely controlled systems. Fileless malware is known for infiltrating data, facilitating with other exploits to deliver multiple payloads (while not traceable to the fileless malware, itself), all while simultaneously erasing its traits and characteristics. In fact, anti-forensic tools are used so that it remain completely invisible, making it an advanced volatile threat (AVT).
Working Example of How a Fileless Malware Attack might Occur
Suppose a netsh command was issued from PowerShell or a Windows command prompt to create a network connection, after assigning a static IP address and configuring it to use a proxy IP address. This, alone, is a common use case. Things becomes suspicious, however, when an unknown script is discovered running on the computer. The newly created network connection could then be used as a means to transport data to a remotely connected device somewhere across the world. Such use cases are gaining traction day by day. And with the number of Internet-capable device constantly growing, the threat of fileless malware may be as omnipresent as the concept of Internet of Things (IoT), itself.