Protecting Against Fileless Malware: A Guide for Organizations
Foreword
Fileless malware threats are on the rise, and it’s essential for organizations to take proactive measures to safeguard their internal environment. In this article, we’ll explore the dangers of fileless malware, the mechanisms behind its attacks, and provide actionable advice on how to protect your organization.
The Growing Threat of Fileless Malware
Fileless malware is a type of attack that doesn’t rely on files to execute malicious code. Instead, it uses legitimate system processes and tools, such as PowerShell, WMI, VB, and .NET Framework, to achieve its goals. This approach makes it challenging for traditional security measures to detect and prevent fileless malware attacks.
Process Hollowing: The Mechanism Behind Fileless Malware
Fileless malware achieves its objectives by using a technique called Process Hollowing. This involves creating a storage container within a legitimate process and injecting malicious code into it. The malicious code is then executed directly in the PC memory, without the need for files. Recent research has shown that attackers have been integrating PowerShell, VB scripting, and .NET applications into a single code package to achieve this.
The Power of PowerShell-Based Exploits
PowerShell-based exploits are particularly potent, as they can execute malicious code directly in the PC memory. This makes it essential to understand the operational behavior of Windows built-in code to detect anomalies in the first place. For instance, finding hidden PowerShell scripts in the TEMP directory can be a red flag.
Protecting Your Organization Against Fileless Malware
To resist fileless malware attacks, organizations should:
- Ensure the safety of their internal environment: Install the latest patches on computer systems within the network, as attackers often exploit old versions of systems that haven’t been updated or patched.
- Design a strong security awareness training program: Develop safe operating procedures and educate employees on the dangers of e-mail attachments and unfamiliar links. This is crucial, as many fileless malware attacks begin with a simple phishing email.
- Update access rights and privileges: Carefully divide access privileges within the organization, particularly for third-party applications and users. Restrict access rights for expired accounts and restrict certain privileged accounts as needed.
- Disable unnecessary Windows programs: Disable Windows programs that are not needed, such as PowerShell or .NET Framework, to prevent lateral penetration.
- Remove legacy protocols: Remove legacy protocols like SMBv1, which can be exploited by attackers.
Microsoft’s Efforts to Combat Fileless Malware
Microsoft has developed an open interface called the “anti-malware scanning Interface,” which many vendors are using to detect fileless malware attacks. Additionally, researchers can use open-source projects like AltFS, a non-file-type virtual file system, to demonstrate the working mechanism of undocumented technology.
Conclusion
Fileless malware requires a solid understanding of the details involved and careful coordination between various tools and techniques. As more unpredictable malware threats appear, it’s essential for organizations to take proactive measures to strengthen their security and defense. By following the advice outlined in this article, organizations can better protect themselves against fileless malware threats.