Pratum Blog

Fileless Malware Attack Process

Every ransomware update you’ll hear right now includes discussion of a growing threat that goes by multiple names. Fileless malware. Living-off-the-land attacks. Memory-based attacks. Non-malware attacks.

Whatever you call it, the fileless malware threat is growing and extremely evasive—but you can mount a meaningful defense. In this blog, we talk with Pratum Senior Penetration Tester Jason Moulder about the growing issue of fileless malware attacks, how they work and how you can create an effective defense against this slippery enemy.

Fileless Malware Basics

Fileless malware attacks give almost no sign of entry and leave almost no evidence in their wake. If a data breach were a physical burglary, a fileless malware attack would look something like arriving at your office to find the company’s secret formula missing from the vault. Yet there’s no sign of a broken lock, overturned furniture or even a footprint in the carpet. The bad guys seem to have materialized in the vault and evaporated with the goods just as mysteriously. The reality, however, is that they somehow convinced one of your trusted employees to steal the formula using their approved access to the vault.

In the same way, fileless malware attacks without introducing a foreign file into your system. It sneaks into legitimate operating system processes (especially Windows PowerShell) and works against you. That makes it extremely hard to detect through traditional antivirus software, which works by looking for known file signatures.

This hacking technique has been surging lately, as fileless malware attacks jumped 900% in 2020, according to one report. One study found that 74% of malware attacks in Q1 2021 were zero-day attacks, which includes any attack that doesn’t shown up in the databases of signature-scanning tools.

How Fileless Malware Works

Fileless Malware Attack Process

Because these attacks leverage scripts within your legitimate software to launch their attacks, they’re a bit like a digital cancer, with hackers turning the system’s own elements against it. With no file installation to detect, antivirus programs usually can’t see them. And because the fileless malware exploits trusted applications or the operating system itself, whitelisting apps you consider dangerous won’t do any good. The most common vectors in fileless attacks are scripts that exploit Windows’ PowerShell, accounting for up to 90% of fileless attacks in some studies. Hackers also frequently leverage Windows Remote Management (WinRM) in fileless attacks.

Pratum Senior Penetration Tester Jason Moulder, who spends his days getting inside hackers’ minds, calls fileless malware one of the most elusive threats in play. “If you were to scan all the communication between all the APIs in your system every day, you’re looking at an incredible amount of data. If you look at your Task Manager, you’ll see certain elements running 50 times simultaneously because it’s used by multiple programs. That’s what makes fileless malware such a great attack avenue. The malicious activity gets lost inside the normal activities that make your operating system function.”

Digital forensics investigations struggle to analyze how attacks happened because the malicious script runs in memory and disappears after the system restarts.

Hackers also like this form of attack because it gives them admin access to an endpoint, letting them exploit it as a gateway to the rest of the network.

Common Fileless Malware Carriers

The security community has identified scores of binaries, scripts and libraries that hackers use in fileless attacks. (You can browse a list here.) Here are some of the most common ways that hackers get a foot in the door for these attacks:

Web scripts – Hackers often launch malicious scripts through JavaScript, a staple of web page design. (Hackers also relied on the popular Flash web-based script before it was officially discontinued early in 2021.) Hackers lure users into clicking a link in an e-mail that takes them to a website that looks legit but is set up to scan for vulnerabilities and slip malicious code into the system. That means, as usual, that social engineering is a critical vulnerability you need to shut down through better user training.

PDFs – The issue with this ubiquitous file type typically revolves around opening PDFs in the web browser by default, which triggers one of the scripts hackers seek to exploit by blending their code into legitimate processes. “For example,” Jason says, “you can write something for PowerShell that says, ‘When you open this, open this command in the background and go get this file from the Internet.’ Whenever it goes to this website, that site can load something into memory.”

Microsoft Office macros – Similarly, Office macros run scripts that give hackers a chance to piggyback with their own malicious scripts. In response, Office now automatically blocks most macros. But Jason warns, “You can still trick people into enabling the macro. It may require some limited user action to initiate it, especially if it’s a Word doc or a PDF. When they click it to open it, that part is written to disk and can be seen in forensics. But once it’s loaded into memory, that’s where it can get lost pretty quickly.”

How You Can Protect Yourself

Security leaders engage in a daily arms race with hackers as each side counters new moves by the other. While fileless malware presents a serious threat, you can actively defend against it with the following steps.

Implement managed XDR – A managed XDR service like Pratum’s provides complete monitoring across your entire system through SIEM, endpoint detection and response and 24/7 SOC analysts interpreting the alerts that come in. Managed XDR spots suspicious activity and correlates signals to form a picture of a developing threat, even when it’s caused by something other than a known malicious file.

Jason points to the following indicators that XDR can pick up as the sign of a brewing fileless malware attack:

  • Numerous queries against Active Directory related to user and domain enumeration. That could give away an attacker preparing to pivot by exploring what access they have.
  • Legitimate activities chained together in unusual ways. “If someone initialized a connection and then tried to impersonate an administrator or grab a Kerberos ticket, that’s not something that should happen,” Jason says.
  • Suspicious password activities. If your monitoring solution sees NTLM hashes being passed instead of legit passwords, that could be suspicious. It may mean someone scraped that from memory and doesn’t know the legit passwords.
  • Multiple admin logins from the same person or logins outside of normal hours.
  • Unapproved versions. If you prefer a particular version of PsExec, for example, whitelist only that version in your system. That makes it easier to spot someone running a different hashed version.

Limit user access – Many fileless malware attacks target users with wide-ranging network access, using compromised credentials to pivot throughout the system. By limiting users to only the data they really need (as described here), you can limit hackers’ ability to move laterally if they get in.

Jason calls specific attention to admin accounts. “Using the default admin built into Windows is a very bad habit because once you have that account, you can go pretty much anywhere,” he says.

Train employees – This advice never goes out of style. Teaching employees to recognize and avoid suspicious links will greatly reduce your risk by preventing malicious scripts from ever getting the chance to scan a device and go to work.

Start developing
your program today!

Employee Security Training Planner

8 Steps to a More Secure Organization

Get it Now

For advice about you can protect your specific system from the ever-changing fileless malware threat, contact Pratum today.

Chain Icon overlaid on image of warehouse

One of 2021’s biggest cybersecurity storylines has been the jump in supply chain attacks. (They’ve jumped fourfold this year in some reports.) These attacks turn the breach of a single organization into a massive headache for hundreds of partner companies. One of the most famous examples was the breach of Kaseya in July. That attack eventually enabled the REvil ransomware organization to encrypt the data of hundreds of companies worldwide as the attack cascaded outward from Kaseya to managed service providers (MSPs) to small/medium-size businesses. In a supply chain attack, the threat comes from one of your trusted software providers who hackers turn into a Trojan horse before anyone realizes what’s happening.

In this post, we’ll break down how supply chain attacks happen and what you can do to protect your system from these threats that arrive when your most trusted vendors unknowingly pass a big problem along to you.

Basics of Supply Chain Attacks

In what you might think of as a traditional hack, threat actors target one company and conduct reconnaissance to find vulnerabilities they can exploit. Then the threat actor breaks into that specific victim's computer network to exfiltrate data, launch ransomware, etc.

During a supply chain attack, the threat actors take the same initial steps, but their focus is upstream. They will compromise and infiltrate a trusted vendor that supplies software or IT services to many other companies. In this kind of attack, the goal isn’t focused on data exfiltration or launching ransomware on the vendors’ systems. Rather, hackers intend to sneak malware into the “supply chain” of software updates that the company installs on its customers’ computers. From a hacker’s perspective, these attacks are more efficient and have a greater impact because they leverage IT vendors that already have established and authorized connections into their customers’ network and systems. That means the malware can deploy across hundreds of companies and systems virtually undetected.

Every client of the IT vendor under attack becomes part of the attack. This blows up the “security by obscurity” belief that many smaller companies adopt. They think that because they’re small, they won’t be targeted by threat actors. But with supply chain attacks, tiny companies face just as much risk as big, high-profile enterprises.

The Kaseya Case Study

To understand these attacks, let’s break down the famous 2021 breach of Kaseya, an IT management software provider that mainly serves MSPs. On Friday, July 2, Kaseya’s incident response team identified a security incident related to Kaseya VSA. Their VSA (Virtual System Administrator) product delivers automated software patching, remote monitoring, and other capabilities so MSPs can seamlessly manage their customers' IT infrastructure. After breaking into Kaseya, the threat actors infected 50-60 MSPs. From there, they infected approximately 1,500 of the MSPs’ clients. The threat actors encrypted the victims’ data, effectively shutting down systems and networks. In Sweden, for example, the supermarket chain Coop closed 800 stores when its cash registers and payment processing systems went down—all because of a breach that was originally two steps removed from Coop’s systems.

Supply Chain Attack Diagram

The threat actors initially demanded $70 million to decrypt the systems, but later lowered the demand to $50 million. It appears that Kaseya refused to pay the ransom and received a decryptor tool from a third party on July 21 (yes, that’s nearly three weeks after the problem was discovered). With this tool, Kaseya was able to assist victims in restoring their systems and networks.

The SolarWinds Case Study

The SolarWinds breach that dominated headlines in December 2020 was another supply chain attack. Russian hackers, working for the Russian government, injected malicious code into SolarWinds’ IT management tool Orion, which gave the attackers access to thousands of systems when it was deployed. SolarWinds reported that up to 18,000 clients had installed the update with that malicious code. The victims of this attack included both private companies and government agencies, including NASA, the State Department, the Department of Defense, and the Department of Justice. The hackers didn’t demand a ransom, which indicates that this attack focused on espionage.

Why Supply Chain Attacks Are Increasing

Supply chain attacks are hard to defend against because they use software updates from trusted vendors. Organizations have always been concerned about infections that come from employees opening phishing e-mails with malicious attachments; clicking links and revealing their login credentials; or plugging a virus-infected USB drive into their computer. Today though, companies must also focus on creating defenses that screen the IT software and service providers who have authorized access into their network.

Threat actors increasingly use supply chain attacks for several reasons:

  • Many companies have improved their overall security posture, making it harder for threat actors to find vulnerabilities to exploit.
  • Supply chain attacks take longer to detect because they come from trusted third parties.
  • The return on investment for ransomware hackers is higher because the compromised vendor can, in turn, infect hundreds of other companies.

How to Strengthen Your Defense

To mitigate the risk of supply chain attacks, we recommend the following steps:

  • Log and monitor all third-party access into your network.
  • Establish a solid vendor management program so that you know the security practices of every third party you work with, including their incident response plans and cyber insurance policies. You should create a security questionnaire all vendors must complete, and you may want to consider requiring third-party certifications such as SOC 2 for your vendors.
  • Implement extended detection and response (XDR) that monitors and correlates data across the network to improve visibility into potential threats on the network.
  • Review the security of your own software development life cycle. In another example of a supply chain attack, a recent vulnerability in the Python Package Index (PyPi) left unpatched systems vulnerable to hackers getting write permissions to the pypa/warehouse repository. Hackers could install malicious packages without the developer’s knowledge. The solution: Monitor and regulate software repositories to secure software development and assure continued integrity. We recommend implementing an audit of software dependencies and version-locked dependencies during application auditing. Your organization may not directly maintain these dependencies, but they directly impact your security.

Pratum’s team can help you create a thorough defense strategy that protects your operations even when threats arrive from your trusted partners. Contact us for a free consultation.

Internal and External Penetration Testing

Regular penetration testing provides a key pillar in your ongoing cybersecurity plans. But penetration tests come in a lot of forms, and vendors often put their own spin on describing their work. In simple terms, penetration testing involves a team of ethical hackers proactively looking for exploitable vulnerabilities in your web applications, computer systems and networks. Their job is to identify your security gaps before a hacker does and compromises your system.

To ensure you’re picking a pen test that meets your needs, use this blog to understand the purpose and value of internal penetration testing and external penetration testing. Attacks can come from any direction, so your testing has to probe for weaknesses that come from outside and inside your environment.

External Pen Testing

This tests security programs by looking at anything with external access, including any device with a public-facing service, IP or URL such as a web application, firewall, server or IoT device. A pen tester may also try to gain access to external-facing assets such as e-mail, file shares, or websites. The pen testers simulate the work of an attacker who, depending on their motivation, may utilize a vulnerability or chain multiple vulnerabilities together in order to gain access to sensitive data. In various parts of the Internet, hackers sell or trade information on zero-day exploits (those not listed in known vulnerability databases) for these purposes.

External pen testing methods include:

  • IDS/IPS Testing – This examines whether Intrusion Detection Systems and Intrusion Prevention Systems are doing their job of analyzing network traffic and packets for known cyberattack signatures.
  • Segmentation Testing – This checks whether networks are properly separated to keep an attack from pivoting from one to the other.
  • Manual Testing of Identified Vulnerabilities – Here a tester tries to exploit the vulnerabilities that are widely known in the hacking community. This is a key step, considering that an estimated 60% of breaches involve vulnerabilities for which patches are available.
  • System Screening/Port Screening/Service Scanning for Vulnerabilities – These automated tests essentially look for doors left open into your network.
  • Checking Public Information for Leakages – You’d be surprised how many lists online publicize which companies have been hacked. A good pen tester checks those sources to see if your company’s name appears there.
  • Foot-printing/Banner Grabbing – These are methods of gathering information from a system in order to launch attacks against it.
  • Open Source Intelligence (OSINT) reconnaissance – Pen testers can find a surprising amount of useful information just by looking for clues in social media, websites, etc.
  • Social Engineering – About 80% of all breaches gain access through social engineering, so a true test of your security should include phishing and vishing (bogus phone call) tests.
  • PCI, HIPPA and Other Compliance-based Testing – Many frameworks have specific pen testing requirements organizations must meet to achieve compliance.

During the process, a pen tester gathers information on open ports, vulnerabilities, and the company’s users. Then they attempt to leverage that information for various attacks such as brute forcing passwords, phishing attacks, and precise operating system and service attacks.

The external pen test should reveal any areas that may be compromised and exploited to gain access to your network. The organization should also use the pen test as an opportunity to verify their current process for detecting anomalous activity. In other words, did your defenses pick up what the pen tester was trying to do and stop them?

Once a perimeter is breached, a given pen test’s rules of engagement may allow for using further attacks to gain access to internal network assets, often referred to as pivoting or lateral movement.

Internal Pen Testing

Most organizations focus on the perimeter in their security work. But the fact is that those with direct access to an organization’s data pose the most significant threat overall. People (even well-intentioned ones) are often easily manipulated and prone to mistakes. Many times, what happens at the host level goes unmonitored, and many organizations aren’t aware of what is entering or leaving their networks. Many common misconfigurations lead to full network compromise. All of that makes internal pen testing a critical part of your security strategy, even if your external pen testing seemed secure.

If your business has a file sharing system without a password, for example, you should re-evaluate who has access to various levels of content. Not every employee needs access to the same data, and unnecessary access could leave you vulnerable to an attack, whether by an employee with malicious intent or a loyal employee who unknowingly gives their login credentials to a hacker.

The expansion of work-from-home policies has created a new range of internal vulnerabilities to test. That may be private networks such as home WiFi, smartphones, cable and streaming services. Connecting your organization’s network to any of those channels could open it up to external threats.

A threat actor who manages to get in through one of these channels rarely attacks right away. They may move about and gather private data by observing from within. During this quiet period, they may collect data to use later or sell to others. Hackers could lurk in your system for weeks, months or longer if proper internal auditing, patching and testing are not performed on a regular basis. An IBM study shows that, on average, American companies take 186 days to detect a data breach and another 51 days to fully contain it. A breach of Starwood Hotels discovered in 2018 had gone undetected for four years.

During internal pen testing, the assessor tries to find out just how much damage a threat actor or employee could do from the inside the network. A poorly secured domain could lead to total control of a network, but most tests require multiple attack paths to complete the objective. Hackers often pull this off by exploiting relaxed policies that focus on convenience rather than necessary mitigations.

The tester will often use less important, easier-to-compromise systems as a channel for getting to more secure areas with higher levels of protection and more sensitive data and controls. Internal pen testing can also include privilege escalation, malware spreading, information leakage and other malicious activities.

Internal Pen Testing methods include:

  • WiFi Networks
  • Firewalls
  • IDS/IPS
  • Employees
  • Computer Systems
  • Mobile devices
  • HVAC
  • Cameras
  • Physical access

Plan Your Pen Testing Approach

Choosing the right security path for your business is not always simple, and there is no “standard” penetration test that works for every organization. No matter how large or small your organization, Pratum can customize a solution that provides value to your organization.

If you’re interested in learning more about the type of pen test that will work best for you, contact Pratum today.

Editor's Note: This post was originally published in May 2020 and has been updated for accuracy and comprehensiveness.
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.