Cybercrime never stands still. Online crooks are always looking for a new edge to make their attacks more effective and difficult to detect. One of their recent innovations has been fileless attacks. These are malicious scripts that hijack legitimate software, without installing themselves on the hard drive.  Fileless attacks operate completely in memory, without leaving a trail or footprint, making detection difficult for legacy IT security software.

How Does this Software Get into Memory?

Fileless attacks leverage the applications already installed on the computer, impacting applications that are known to be safe. In many cases, a remote access trojan executes a malicious script within memory. It then uses an existing administrative tool, like Windows Powershell, to run malicious scripts that executed its payload.

Stopping Fileless Attacks

The growing threat trajectory requires new cybersecurity tools and methodologies.  Traditional signature-based software that scans files on hard drives is no longer enough. Solutions that monitor access to administrative tools like Powershell, Apple Script and WMI are becoming more prevalent. Application controls on the endpoints are gaining momentum in stopping malware-free attacks including whitelisting to stop unauthorized software from running in memory.

Preventing fileless attacks is also an exercise in inspection. Security pros should be searching for signs of compromise not only in hard drive files, but in system memory, too. Network visibility is important in examining the type of traffic passing internally between network segments. If an attacker is using a Powershell script to exfiltrate data through the network, then they might be creating unusual traffic patterns

However, on their own, it is possible that none of these approaches is enough to stop fileless malware. It is a particularly devious attack, and cybercriminals have become adept at hiding their activities.

Cynet use its multi-layered methodology to stop fileless attacks in their tracks before any stealthy access and data loss can occur:

  1. Cynet identifies fileless attack scenarios like shell code injection, DLL injection and malicious PowerShell commands.
  2. Kernel level analysis is performed to stop potential fileless attacks.
  3. Cynet monitors communications to identify malicious network activity like phishing or command & control servers.
  4. The Cynet platform detects vulnerable (outdated) software versions that can be exploited and impacted.
  5. Cynet uses behavioral indicators to identify fileless attacks.
  6. Cynet identifies memory modification tampering like memory injection.

Organizational security needs to be approached under the assumption that something unseen is always lurking somewhere you haven’t thought of looking. Threats are dynamic and constantly evolving, and fileless attacks are one example of how hackers look for ways to breach the network in smarter, increasingly under-the-radar ways. The Cynet 360 holistic security platform understands this, and ensures visibility into systems on a level that even hidden threats are red-flagged and remediated, before the damage is done.