Fileless Attacks

February 14, 2023

What Is a Fileless Attack?

A fileless attack exploits existing software, applications, and protocols to perform malicious activities. Threat actors use fileless attacks to gain control of targets without relying on executable files as the first phase of the attack. 

During fileless attacks, threat actors infiltrate, take control, and perform malicious activities by exploiting vulnerable software that an end user might use daily, such as Microsoft Word or the Chrome browser, or software already deployed on a server. 

Threat actors also use vulnerabilities to gain access to native operating system tools like PowerShell or any application that can allow a high level of access and privileges. These tools enable actors to perform basic commands across a network.

Fileless attacks are becoming increasingly common because traditional antivirus (AV) tools are not made to detect and prevent non-malware attacks. As a result, threat actors can use a fileless attack as a point of entry that might go completely overlooked, unless more advanced security tools are in place.

This is part of a series of articles about application security. 

In this article:

How Fileless Attacks Work: Stages of a Fileless Attack 

Here are the stages fileless attacks typically follow:

Phase 1: Access to the target machine

To carry out an attack, threat actors must first gain access to the target machine. Here are common tactics actors use to achieve this objective: 

  • A social engineering scheme like phishing emails.
  • Using compromised credentials, using password-cracking tools or other methods to obtain them. 

Once a threat actor obtains credentials, it allows access to the target system and possibly other environments.

Phase 2: Execution

After fileless malware gains access to a system, it aims to achieve code execution by manipulating software, libraries, or other resources available on the local system.

Phase 3: Persistence

Once malware is in control of the local system, it typically establishes a backdoor to enable the threat actor to access the target machine. The goal is to prevent losing access to the machine, ensuring the actor can gather information over a long period.

Phase 4: Goals

After locating the targeted information, the threat actor can achieve their goals. These often include exfiltrating sensitive data to another environment. 

Types of Fileless Attacks 

Exploit Kits

Exploits contain sequences of commands, collections of data, or code. Exploit kits consist of collections of exploits that enable threat actors to take advantage of a specific vulnerability. Threat actors use exploits to efficiently launch fileless attacks by injecting them directly into memory without writing to disk and automating initial compromises at scale.

Exploits typically start by using social engineering tactics to lure the victim into a trap. Most exploit kits include exploits for various vulnerabilities as well as a management console that allows the threat actor to control the compromised system. However, some exploit kits provide ways to scan the target system for known vulnerabilities, create a customized exploit, and launch an attack.

Registry Resident Malware

This malware installs itself within the Windows registry to remain persistent and evade detection. It might use tools similar to traditional malware attacks, but it operates differently to ensure AV cannot detect it.

Traditional malware attacks infect Windows systems using a “dropper” program that downloads the malicious file. It remains active on the target system, enabling its detection by AV. Fileless attacks might use a dropper but without downloading the malicious file. Instead, this program writes the malicious code directly into the system’s registry.

Additionally, it is possible to program the malicious code to launch whenever the operating system is launched, ensuring there are no malicious files to detect and the malicious code remains hidden within native files that are beyond the scope of what AV software can detect.

Poweliks is the oldest variant of registry resident malware, but many others have since emerged, including GootKit and Kovter. This is because malware that can modify registry keys is most likely to remain undetected for long periods.

Memory-Only Malware

This malware resides in memory only. The Duqu worm, for example, is a common memory-only malware that resides in memory to remain undetected. Duqu 2.0 has two versions – the first version includes a backdoor that allows gaining a foothold in the target, allowing the threat actor to use the advanced version that provides additional features for lateral movement, data exfiltration, and reconnaissance. 

Fileless Ransomware

Threat actors often use a combination of attacks and various technologies to capture their payload. Today’s ransomware attacks often leverage fileless techniques that embed malicious code into existing documents using native languages like macros or writing the code directly into memory using an exploit. It enables the ransomware to hijack native tools like PowerShell to encrypt and hold files hostage without writing any line to disk.

Fileless Attacks in Common Environments

Fileless Attacks in Windows 

Fileless attacks in Windows can take advantage of several built-in tools and features to execute malicious code without creating or modifying files on the system. Here are a few examples:

  • PowerShell: This powerful command-line tool is built into Windows, and it can be used to perform a wide range of tasks, including managing and automating Windows systems. Attackers can use PowerShell to download and execute malicious scripts or payloads directly from memory, without ever writing them to disk. 
  • Windows Management Instrumentation (WMI): This framework can be used to query and control various aspects of a Windows system. Attackers can use WMI to execute malicious code or scripts directly in memory, without creating or modifying files on the system.
  • .NET Framework: Attackers can use the framework to develop malicious applications that can execute code directly in memory, without creating or modifying files on the system.
  • Malicious macros: Macros are small programs that can automate tasks in applications such as Microsoft Office. Attackers can create malicious macros that are embedded in Office documents (such as Word, Excel, PowerPoint) and spread via email or other means. When the document is opened, the macro runs and can download and execute malicious scripts or payloads from a remote server.

Fileless Attacks in Linux

A fileless attack on a Linux system typically includes the following steps from infection to malicious code execution:

  1. Infection: The attack begins with the attacker exploiting a vulnerability in the system. This could be a vulnerability in a web application, an insecure configuration setting, or a missing patch. Once the vulnerability is exploited, the attacker can gain access to the system.
  2. Modifying a Linux process: The attacker will then use a legitimate process to load the malicious code into memory. This can be done by modifying an existing process, such as by injecting code into a running process, or by creating a new process and loading the malicious code into it.
  3. Inserting code in memory: Once the process has been modified, the attacker can insert the malicious code into memory. This code can be written in a scripting language such as Python or JavaScript, or it could be shellcode written in assembly language. The code is usually encrypted or obfuscated to avoid detection.
  4. Executing the malicious code: The attacker can now execute the attack. The code will carry out the attacker’s intended actions, such as stealing data or launching a DDoS attack. Because the code is not stored on the system’s hard drive, it can be difficult to detect and remove.

Fileless Malware in Containers 

Fileless malware is beginning to affect containerized applications as well. In this environment, it is even more difficult to detect and contain fileless attacks, due to the ephemeral nature of containers and the limited availability of monitoring and security tools.

To illustrate the threat, Aqua Nautilus found two compromised accounts on Docker Hub – lifengyi1323 and portaienr – with malicious container images. Research revealed that the accounts were used by TeamTNT, a known hacker group. Four of the images were designed to enable fileless malware. 

The lifengyi1323/traband image consisted of six layers – two of these included BusyBox, which provides Unix utilities, while the other layers contained malicious scripts and binaries. The container initiates with the execution of the shell file, located on the disk).

Here is what the malicious code looked like:

The file is a simple file that prepares the target environment to execute the other three malicious files. It starts by changing the attribute definitions in certain files – for example, the /root/sbin and /root/traband modes to enable execution. 

These packed files (sbin and traband) were not detected by the VirusTotal service, which analyzes URLs and files to identify malicious content. This lack of detection indicates the effectiveness of this technique in evading antivirus scanners. Upon further investigation, the team found that sbin was packed with the Ezuri memory loader, while traband was packed with both Exuri and UPX packers. Packers are a popular way for attackers to evade detection. They work by compressing malware files while retaining the code and functionality. Security scanners often view them as benign files. 

Another file – muser – was intended to create a backdoor for TeamTNT. Its script had the ability to erase cron jobs on the host and execute the muse file using a cron mounted to the host.

How to Detect and Prevent Fileless Attacks 

Fileless attacks target the security tools most enterprises rely on, making them exceedingly difficult to detect and prevent. However, enterprises can establish solid protection against fileless attacks by combining traditional prevention and next-generation technology. Here are several techniques that can help:

Prevent Malware from Entering the Enterprise Network

Since these attacks often rely on unpatched applications and hardware or software vulnerabilities to gain entry, it is critical to update and patch systems regularly. It can help limit the number of potential entry points.

Carry Out Cybersecurity Awareness Training

Fileless attackers often rely on social engineering to deposit their payloads. Cybersecurity awareness training can help prevent employees from falling into these traps. This training should include basic security practices like visiting secure websites only and emphasizing the need to exercise caution when opening email attachments.

Monitor Native Operating Systems Tools

Common fileless attacks exploit legitimate, privileged processes like PowerShell and WMI. Enterprises should closely monitor these services for unusual activity to detect fileless malware. Here are activities to monitor:

  • Elevating regular user privileges to administrator privileges without authorization
  • Remotely executing commands using PowerShell
  • Unfamiliar processes that are executing in the main memory
  • Suspicious modifications performed in the Windows registry 

Use Behavior Analysis to Identify Suspicious Activity

Detection based on signatures, rules, and scans cannot catch fileless attacks. Instead of looking for malicious files, enterprises should use anomalous behavior to identify activities that might indicate a fileless attack is occurring. 

Behavioral analysis can identify abnormal and suspicious activities that have evaded other detection technologies. For example, a user accessing a database they have not used previously or logging in at unusual hours can indicate compromise due to a fileless attack. 

Security systems using machine learning (ML)-based behavioral analytics can create a real-time baseline of normal behavior for users and applications. It enables them to identify activities that deviate from this baseline, flagging them for further investigation to help prevent or limit the damage caused by fileless attacks.

Protecting Against Fileless Attacks with Aqua Security

Using static vulnerability scanning tools such as Aqua Trivy is the first step to identify and mitigate vulnerabilities in your environment that attackers can exploit to deploy fileless malware. However, they are not enough to detect fileless execution and stop advanced attacks in runtime.

By executing malicious code directly from memory, attackers can evade detection by static scanners, and even some dynamic scanners, because they cannot read files from memory. Fileless malware is also undetectable by agentless and traditional anti-virus solutions that rely on signatures to identify malware. Only more sophisticated security tools that analyze a running system’s processes can help.

To protect against fileless attacks, you can use the following tools:

  • Aqua Tracee, a powerful open source runtime security and forensics tool for Linux that can detect suspicious or abnormal processes running in your environment. You can use Tracee to capture files executed from memory.
  • Aqua DTA (Dynamic Threat Analysis) is purpose-built to discover hidden malware in container images by running the image in a secure sandbox to analyze its behavior before deploying.
  • Aqua Cloud Native Detection and Response (CNDR) uses behavioral indicators created from observations of attacks in the wild to detect and stop unknown attacks in real time. Aqua CNDR can detect execution of fileless malware in your environment and alert you of malicious activity. The solution is part of the unified Aqua Cloud Native Security platform that delivers CNAPP, CSPM, and CWPP in one single source of truth, protecting the entire cloud native application lifecycle and stopping cloud native attacks.

To see how Aqua CNDR detects fileless execution, watch this video: