New fileless malware presents problems for business

News by Mark Mayne

Concerns raised over growth in highly stealthy fileless malware that is almost impossible to detect or prevent.

A new fileless malware attack that has not been seen before has highlighted the growth in the highly stealthy technique.

Fileless malware is on the rise among cyber-attackers due to the difficulties it presents to defend against, according to Mimecast Research Labs researchers. Because the technique uses common system tools such as Command Prompt (cmd), Powershell and Windows Management Instrumentation (WMI) that are essential everyday tools for system admins, detecting misuse of them is particularly challenging. Indeed, research from the Ponemon Institute found that fileless malware attacks accounted for around 35 percent of all attacks in 2018, and are up to 10 times more likely to succeed than more traditional file-based malware attacks.

"Fileless malware is also easier to create, and can run in multiple environments and operating systems without any changes, or with only minor changes. This makes them cheap and reliable tools for attackers to develop and use", said the researchers in a blogpost.

Meni Farjon, chief scientist, advanced malware detection at Mimecast told SC Media UK that the challenge to enterprises posed by the malware is significant: "What this means for businesses is that their existing organisational controls and tools are now being used to deliver malware.

Today’s hackers no longer depend on victims downloading an infected file. Antivirus software will scan and analyse new files downloaded or otherwise landing on your hard-drive, but it is almost completely blinded by fileless malware."

Add to that business reliance on organisational tools, and an inability to displace or even monitor those, and this becomes a much bigger problem. One that is very hard to solve."

The researchers uncovered an entirely new attack vector using fileless malware, which can modify the host environment without using a "set" command. "Instead, it relies on an "exit" command with custom exit code and later uses the execution result to get an ASCII char representation, which is modified in the "%ExitCodeAscii%" environment variable. This ASCII char is used to get a command running", explained the researchers.

To get the correct value of "%ExitCodeAscii%" the "exit" command must be run. As a result, the process running it will be terminated. To overcome this obstacle, the hacker can use "cmd.exe" in a couple of layers and abuse it to get the desired character:

The researchers demonstrated the power of these attacks by testing a file executing the command compared to that of a command that is obfuscated with Virustotal:

Obfuscated fileless malware in attacker's toolkits.

Obfuscated fileless malware in attacker's toolkits.

"Attackers invest a lot of time and effort to hide their unscrupulous activities, and fileless malware is increasingly used in these operations", warned the researchers in summary.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews