What if I would say to you that now a looming hacker doesn’t even have to fool you into installing malicious files on your computer in order to steal sensitive info?
Let’s take a look at how this form of (non-) malware works…
How the hell does this fileless malware attack occur?
The broader picture involves taking control of legit Windows tools like PowerShell and Windows Management Instrumentation (WMI) and then undertaking malicious activity at the command-line level.
The sneaky part is that since PowerShell is such a trusted component of Windows, most known security scans don’t check it.
Meanwhile, once in the system by following the path of least resistance, the perp can retrieve sensitive data and migrate to other machines on the network at their own leisure.
An example of how this might happen…in three steps.
1: Perhaps at the request of a clever spam message promising riches, a user clicks on a link and then visits a website.
2: When the Flash player loads, the fix is in.
3: Flash then accesses PowerShell, and from here, operating solely in the computer’s memory, instructions go through the command line. Those instructions tell it to download a malicious PowerShell script specializing in collecting sensitive data and sending it back to its creator.
Note: Not once in the process did the criminal have to figure out how to sneak a malicious program past antivirus and malware defenses. This is a huge deal, actually.
Why Now?
The reason that more sophisticated cyber criminals have shifted their focus away from popular malware strategies like brute force automated login attempts or spear phishing schemes is simple: traditional antivirus and anti-malware security aren’t even looking where these fileless malware attacks are.
They aren’t designed to stop this. The AntiVirus suite on your computer is trained to sniff out trouble when one simple thing happens – a file is written.
Does that mean traditional AntiVirus suites are now useless in detecting this new type of computer takeover? Yep, that’s precisely what it means.
There’s a good chance that once either PowerShell or the WMI is compromised, an attacker can sit there undetected for however long they like, pilfering data at their own convenience.
Steps to protect yourself against fileless malware attacks
Despite the claim surrounding this brand of malware as being undetectable, it’s not literally undetectable. It just seems so when compared to previous malware iterations.
The following steps below aren’t exactly foolproof but do provide a layered and systematic security approach that should minimize risk to your organization.
- Regularly check security logs for inordinate amounts of data leaving the network.
- Look for changes in the system’s usual behavior patterns when compared against baselines.
- Update your software regularly.
- Disable PowerShell and WMI if you are not using them.
- Disable macros if you are not using them. If you are, however, digitally sign and use only those vetted specifically for the company.
The five solutions presented above are meant as a starting point for a system administrator (sys admin) or IT staff to begin securing the network against these types of attacks.
Olé Crypto,
CBNN