The fileless malware myth

Author
Mathias Fuchs
Published
05. April 2019

At present, there are an increasing number of reports focusing on what is known as "fileless malware" - i.e. malware that can do without files in the file system and only lives in the main memory. In recent months, my team at the InfoGuard Cyber Defence Center has been asked with increased frequency whether or not something like this can be detected at all. The short answer is YES because malware always "lives" in the RAM and therefore can be detected with methods that we have been using for years. How does it work? Find out how in this blog post!

Of course, the detailed answer is slightly more complicated. Most of the reports mentioned at the beginning refer to malware running on the main CPU and in regular memory. There are few other publications that describe malware outside the main CPU and memory. This is malware that runs, for example, in the micro CPU of the BIOS chip or the graphics card. The supermicro incident, where additional chips are inserted on the motherboard, also falls into this category.

Malware 101

When dealing with malware, there are two basic principles: Firstly, «Malware can hide but it must run». Or to put it another way, even with malware that is often referred to as fileless, some sort of programme code must be introduced into the targeted system so that it can hide in the main memory and be run by the processor. At this point, the author of malware has two options: either the malware runs as a separate process or it runs in the memory of another legitimate process.

The first situation is very easy to spot because process executables usually have their original file stored on disk. Therefore, executable code that has no pending code on the hard disk is rapidly detected during hunting.

In the second situation, a legitimate program is often started from the hard disk, and the malware code is loaded onto the memory space of this application. We call this process memory injection. In practice, there are many, many different ways of detecting this. One of them is part of our default hunting sessions here at InfoGuard.

Is fileless malware really fileless?

Before we get to the second basic principle, when we are talking about fileless malware, we need to clarify the question of how the malcode described above gets onto the computer. One of the most common ways is to send manipulated documents with macros, which then reload the malcode and insert it into the memory. Unlike other authors, for me personally, I have always had a problem calling this fileless malware. Ultimately, a malicious file exists on the system, at least on a temporary basis, and so can be forensically detected at a later date. Does that make sense?

How to get malcode into the system by a circuitous route

Another way to introduce malcode is to exploit vulnerabilities. Here it is even possible to insert the data onto the hard disk without intermediate storage. How does that work? For example, when there is a vulnerability, a malcode can be directly injected into memory via the network - in a similar way to the vulnerability exploited by WannaCry. Such events often lead to the vulnerable application crashing but do not necessarily leave behind any more evidence than a log entry on the hard disk.

«Malware must survive reboots»

This brings me to the second principle of malware - "Malware must survive reboots". The hard drive is a computer's long-term memory. For this reason, even fileless malware must use the hard disk to be reactivated after the computer has been restarted. To this end, it can make use of a variety of persistence mechanisms, which are described in great detail by Hexacorn in the series «Beyond good ol’ run key». One technique that can make malware more difficult to detect is that some malware samples remove their persistence method after start-up and reinstall it when the system shuts down. For examples of this, the first part of this blog entry also applies - it either runs in its own process or injects itself into a third-party process.

Why fileless malware is worth far more than 5,000 characters

This is no more than a brief, relatively non-technical summary. After all, it is important that all of you - even people without a technical background - can appreciate the problem. As well as the methods for detecting "fileless malware" mentioned above, there are of course also many other means, such as network monitoring, which can detect the use of this malware.

Are you interested in "fileless malware"? Then write to us about it! If you are interested, I will be pleased to explain the issue in more detail on our cyber security blog. If you don't want to miss out on any of our other blog articles, subscribe to our blog updates today!

Subscribe to blog updates

A cyber attack can hit you at any time

In today's threat landscape, no one is safe against cyber attacks. Not even you - no matter how high you build your security walls. Therefore, an immediate, efficient and effective response to security incidents is all the more important. We support you in an emergency with our Incident Response Retainer! Our Computer Security Incident Response Team (CSIRT) will prepare you for security incidents in a workshop. And when the time comes, we can respond together with you: quickly, competently and with a lot of experience from other incidents - day and night.


Incident Response Retainer

Share article