Non-malware attacks: What are they and how to protect against them?
What are non-malware attacks, how do they differ from traditional threats, why are they so dangerous, and what can you do to prevent them? Marcell Gogan answers these questions and more.
Non-malware attacks are on the rise. According to a study by the Ponemon Institute, 29 percent of the attacks organizations faced in 2017 were fileless. And in 2018, this number may increase up to 35 percent.
So, what are non-malware attacks, how do they differ from traditional threats, why are they so dangerous, and what can you do to prevent them? Keep reading and you’ll learn the answer to each of these questions.
Non-malware attacks: What are they?
Non-malware or fileless attack is a type of cyber attack in which the malicious code has nobody in the file system. In contrast to the attacks carried out with the help of traditional malicious software, non-malware attacks don’t require installing any software on a victim’s machine. Basically, hackers have found a way to turn Windows against itself and carry out fileless attacks using built-in Windows tools.
The idea behind non-malware attacks is pretty simple: instead of dropping custom tools that could be flagged as malware, hackers use the tools that already exist on a device, take over a legitimate system process and run the malicious code in its memory space. This approach is also called “living off the land.”
This is how a non-malware attack usually happens:
- A user opens an infected email or visits an infected website
- An exploit kit scans the computer for vulnerabilities and uses them for inserting malicious code into one of Windows system administration tools
- Fileless malware runs its payload in an available DLL and starts the attack in the memory, hiding within a legitimate Windows process
Fileless malware can be downloaded from an infected website or email, introduced as malicious code from an infected application, or even distributed within a zero-day vulnerability.
Why are non-malware attacks so dangerous?
One of the main challenges posed by fileless malware is that it doesn’t use a traditional malware and, therefore, doesn’t have any signatures that an anti-malware software could use to detect it. Thus, detecting fileless attacks is extremely challenging.
To understand better why they pose so much danger, let’s take a look at some of the most recent examples of fileless attacks.
One of the first examples of fileless malware were Terminate-Stay-Resident (TSR) viruses. TSR viruses had a body from which they started, but once the malicious code was loaded to the memory, the executable file could be deleted.
Another example of a non-malware attack is the UIWIX threat. Just like WannaCry and Petya, UIWIX uses the EternalBlue exploit. It doesn’t drop any files on the disk but instead enables the installation of the DoublePulsar backdoor that lives in the kernel’s memory.
How do non-malware attacks work?
Since non-malware attacks use default Windows tools, they manage to hide their malicious activity behind the legitimate Windows processes. As a result, they become nearly undetectable for most anti-malware products.
Main non-malware attack targets
The hackers need to obtain as many resources as possible while keeping their malicious activity undetected. This is why the majority of fileless attacks focuses on one of the two targets:
- Windows Management Instrumentation (WMI)
Depending on their targets, fileless attacks may either run in RAM or exploit vulnerabilities in software scripts.
The attackers chose WMI and PowerShell for several reasons. First, both these tools are built into every modern version of Windows OS, making it easier for the hackers to spread their malicious code. Secondly, turning off any of these tools is not a good idea, since it’ll significantly limit what network administrators can do. Some experts, however, suggest disabling WMI and PowerShell anyway as a preventive measure against fileless attacks.
4 common types of non-malware attacks
There are many types and variations of fileless malware. Below, we listed the four most common ones:
- Fileless persistence methods ― the malicious code continues to run even after the system reboot. For instance, malicious scripts may be stored in the Windows Registry and re-start the infection after a reboot.
- Memory-only threats ― the attack executes its payload in the memory by exploiting vulnerabilities in Windows services. After a reboot, the infection disappears.
- Dual-use tools ― the existing Windows system tools are used for malicious purposes.
- Non-Portable Executable (PE) file attacks ― a type of dual-use tool attack that uses legitimate Windows tools and applications as well as such scripts as PowerShell, CScript or WScript.
Non-malware attack techniques
In order to perform a non-malware attack, hackers use different techniques. Here are the four most frequently used ones:
- WMI persistence ― WMI repository is used for storing malicious scripts that can be periodically invoked via WMI bindings.
- Script-based techniques ― hackers may use script files for embedding encoded shellcodes or binaries without creating any files on the disk. These scripts can be decrypted on the fly and executed via .NET objects.
- Memory exploits ― fileless malware may be run remotely using memory exploits on a victim’s machine.
- Reflective DLL injection ― malicious DLLs are loaded into a process’s memory manually, without the need to save these DLLs on the disk. The malicious DLL can be either embedded in infected macros or scripts, or hosted on a remote machine and delivered through a staged network channel.
Now, it’s time to talks about the ways you can protect your company against non-malware attacks.
5 ways to protect against non-malware attacks
Experts offer different ways of preventing and stopping fileless malware: from disabling the most vulnerable Windows tools to using next-generation anti-malware solutions. The following five suggestions may be helpful in protecting your company network against non-malware attacks.
- Restrict unnecessary management frameworks. The majority of non-malware threats is based on the vulnerabilities found in the management frameworks like PowerShell or WMI. The attackers use these frameworks to secretly execute commands on a victim’s machine while the infection lives in its memory. Thus it would be better to disable these tools wherever it’s possible.
- Disable macros. Disabling macros altogether prevents unsecured and untrusted code from running on your system. If using macros is a requirement for your enterprise’s end users, you can digitally sign trusted macros and restrict the usage of any other types of macros.
- Monitor unauthorized traffic. By constantly monitoring the security appliance logs from different devices, you can detect unauthorized traffic in your company’s network. It would also be helpful to record a set of baselines to understand better the network operating flow and be able to detect any anomalies, such as devices communicating with unauthorized remote devices or transmitting inordinate amounts of data.
- Use next-generation endpoint security solutions. In contrast to traditional anti-malware software, some endpoint solutions have a heuristics component able to perform basic system behavior analysis. Since certain types of malware have a specific set of common behavioral characteristics, heuristics-based methods can halt some activities that look like behavior-based threats, thus stopping a possible attack from delivering its full payload. In case of false positive, end users may manually authorize the process to continue.
- Keep all the devices updated. Patch management plays a significant role in securing your system and preventing possible breaches. By delivering the latest patches timely, you can effectively increase the level of your system’s protection against non-malware attacks.
Fileless attacks are on the rise mostly because they are so difficult to detect by standard anti-malware solutions. And while effectively detecting non-malware threats remains a challenge, these tips may help you prevent possible attacks from happening.