What are fileless malware attacks? 

In the real world, living off the land means surviving only with the available resources that you can get from nature.

In the technology world, fileless malware attack (living off the land (LotL)) attack means the attackers use techniques to hide once they exploit and breach the target from the network.  

A fileless malware attack uses one common technique called “Living off the Land” which is gained popularity by accessing the legitimate files in the system which is already operating in the OS for malware attacks. We will discuss them in detail. 

How does fileless malware (Living off the land) attack work?

We will detailed explanation of fileless malware attack,

Step 1: When a user from the internal network visits the compromised or attacker’s websites, through phishing emails, Opens a malicious website, Opening documents such as .pdf, Word, Excel with malware embedded with the attachment, Inserting the infected USB into the computer system.

Step 2: Once the system is exploited with the malware, the payloads of the malware scans for available unpatched vulnerabilities in the system. And searching them for the file path to hide malware and execute the attacks.

Step 3: After step 2, the malware drops into the legitimate applications that are available in the computer such as system tools as WMIC.exe, cmd.exe, powershell.exe, reg.exe, schtasks.exe, msiexe.exe, etc., to execute the malware attacks in the way that it looks legitimate and no security tools should detect or block the attacks.

Step 4: Upon installing the malware with legit system tools, malicious activity is been executed and hidden within the system tools, and providing remote access such as CnC, data exfiltration, or data disruption operations takes place without even alerting.

Step 5: Finally here comes the “living off the land” attack stage, where the attacker stealthily steals critical information and connects to Common and control servers for data exfiltration by abusing the trusted legitimate tools with unauthorized access which is “living off the land” attack been executed.  

How to detect fileless malware? 

Here, we will understand the steps to detect the fileless malware and stop it before it successfully executes the malware in the system,

  • We can always start with SIEM (Security Incident and Event Management) to use and gather the information used to detect the attacks. By depending on the available logs from SIEM it’s recommended to search for the commands and operations, Binaries, scripts, and libraries.
  • To start with the event searches on the username/account behavior which is used regularly should be investigated which is using the legitimate tools until we are satisfied with the search.  
  • Using EDR solutions which can give us complete insight into the legitimate tools executed with suspicious processor programs or the files executed in the path that it should not be. EDR solutions also provide the complete process tree of the suspicious process that is executed in the system which could be a possible fileless malware attack detection.  
  • Monitor the usage of dual-use tools inside the network. And enable logging and the process information.
  • Having the dedicated threat hunting teams, where threat hunters can continuously hunting for the process that is been executed within the network and work closely to cover the tracks or path which could cover the critical security gaps of the organizations before the attackers could exploit them.
  • Use monitoring tools to monitor the execution and arguments of mshta.exe (Windows-native binary designed to execute Microsoft HTML Application), monitor the execution of mshta.exe (HTA files) which may be suspicious if they are not typically used within the network.
  • The LOLBAS project, this project documents helps to identify every binary, script, and library that can be used for LotL (Living off the Land) techniques on the windows platform.

How to prevent fileless malware attacks?

We can see that there are different tools to block any types of attacks with endpoint tools like EDR and Networking security tools such as IDS, IPS, etc., here will see the possible ways to protect from fileless malware attacks,

There are lots of tools and application which can block access to the tool, features for all the users and some to specific users. It can be considered the best way to prevent LolT attacks, but it requires lots of hard work to do. I will list some of the possible ways to here,

  • Blacklisting the applications, means which involves blocking access to suspicious and malicious entities of the program or the process which is trying to execute within the system.
  • There are few applications access and protocols which are allowed by default, which needs blocking within the environment to block the doors for a malware entry, it can be allowed only there is a serious requirement on the same.
  • Allow only certain windows applications to run with the operating system, such as applying the security policies, account policies, Software restriction policies, Application control policies, etc.,
  • Whitelist only specific programs using software restriction policies helps unwanted applications from executing the malware or unwanted applications.
  • Restricting the domain accesses to all users. And restricting the privileged account management to accounts or groups that use the opportunities for malicious usage.
  • To enable advanced account security features, implement Multi-factor authentication (2 FA) and enable login notification for the threshold of unusual login activity.
  • To Disable or Remove Feature or Program, always consider disabling the AlwaysInstallElevated policy to prevent elevated execution of Windows Installer packages.
  • Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe, rundll32.exe, etc from being used to bypass application control. And Identify and block potentially malicious software executed through regsvr32 functionality by using application control. check here in MITRE  
  • To prevent execution of windows utilities, use application control configured to block the execution of InstallUtil.exe if it’s not required for a given environment and prevent them from potential misuse of adversaries.  
  • Implementing the Security controls like EDR solutions, email security, network security will help in detecting the attacks and blocking them and can allow them only if its legitimate programs are executed from the network.
  • Finally, the most important to keep all the software and application used to up to date with the latest patches installed, because it could be possible ways the attackers can enter the network from the backdoors of unpatched software and applications.

Conclusion:

Attackers use legitimate tools for executing the fileless malware attack techniques and malicious scripts are a common choice for hackers, which is easy for them to abuse the available legit tools. So it’s no surprise that many cybercriminals target the attack with this technique of “Living off the Land” attack or fileless malware attacks.

From an attacker’s point of view using the widely available tools within the system makes them easy to attack and makes it much more difficult for the defender to identify the malware executions from authorized tools. It’s like finding the needle in the haystack.

To understand more about the malware evasion techniques which attackers using check the blog of Evasion technique and classification and legitimate tools used by the attackers for Ransomware 2021.

Reference:

https://www.darkreading.com/edge/theedge/how-to-evict-attackers-living-off-your-land/b/d-id/1337420

https://attack.mitre.org/tactics/TA0005/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/living-land-legitimate-tools-malicious

https://docs.broadcom.com/doc/istr-living-off-the-land-and-fileless-attack-techniques-en

By Michael

Writer of Infohaunt is an Cyber Security Professional have experience in SOC operations, Threat Management, Incident Response, Threat Hunting, Digital Forensics.