Fileless attacks are an advanced kind of malware that rank among today's most dangerous security threats. In fact, in 2017, the Ponemon Institute reported that fileless attacks are ten times more successful than file-based attacks.
A 2020 WatchGuard report also showed that the threat is growing and that the technique increased by nearly 900% since 2019. In this article, I'll review what fileless attacks are and how to protect against them.
Malware is malicious code intended to damage software, steal information or take full control of a supply chain. It can take on several forms: viruses, worms, trojans, ransomware bots, adware, fileless, etc, some of which are very sophisticated.
A fileless attack is a technique that executes malicious code into memory, it can do incremental obfuscated steps to gain control of an environment while remaining undetected. With fileless malware, the malware is executed into memory, so will evade common defences such as antivirus and static scanning.
Attackers often also use compression or encryption to cloak the malware file to avoid detection. Most commonly used against Windows, we have recently seen a growing trend in its use against Linux, and more specifically within containers.
What's concerning is that fileless attacks are undetectable by most traditional security tools, including antivirus software and endpoint detection and response (EDR), because they usually only discover compromises based on file descriptors in the file system. A fileless attack is executed from a memory address, making it almost impossible to collect evidence or forensic clues about what transpired.
Such attacks use common artifacts to hide themselves. Often they are camouflaged within popular, trusted software and only inject malicious code into widely used applications. Quietly hidden, they launch assaults on software supply chains and spread fileless attacks, exploiting trusted software relationships and networks to penetrate organisations.
In the past, most successful fileless attacks occurred in Windows via hijacked artifacts such as PowerShell, Microsoft Office macros, WMI, scripting languages (VBScript, Windows PowerShell), and other popular post-exploitation tools (PowerShell empire, Powersploit, Metasploit, cobaltstrike, etc).
Today we're seeing a sharp increase in attacks in Linux as well as in containers, a technology based on the Linux kernel that uses namespaces and cgroups.
Detecting fileless attacks
These new and daring attacks emphasise the importance of putting better and stronger solutions in the defender's toolbox. Below are a few recommendations that, when practiced together, they can assist you against these kinds of attacks:
Scan all images that you use, make sure you are familiar with them and their use, use minimal privileges, such as avoiding root user and privileged mode. Use a static vulnerability scanner such as Trivy (open source). Scanning artifacts such as code, container images, Kubernetes manifests, infrastructure as code (IaC), etc. is the first step to avoid misconfigurations, hardcode secrets, and vulnerabilities.
Use Tracee (open source) to detect suspicious or abnormal processes running in your environment and dynamically scan using DTA to safely discover malware in images before deploying. DTA dynamically assesses the risks that container images pose before they are run as containers in a live environment.
DTA runs container images in a safe and isolated sandbox environment and monitors behavioural patterns and Indicators of Compromise (IoCs) such as malicious behaviour and network activity, in order to detect container escapes, malware, cryptocurrency miners, code injection backdoors, and additional threats.
Using Tracee, an open-source tool that identifies suspicious behaviour in security runtime, we can detect this fileless execution technique. Tracee analyses events collected at the kernel level in real time using eBPF technology. In the demo the main syscalls used were execve, close, openat, memfd_create, etc., along with other key events.
In Tracee, we can use the term ‘signatures' as an abstraction to analyse and identify the security threat such as code injection, dynamic code loading, fileless execution, etc. These signatures act as behavioural indicators developed by Aqua Nautilus, security research experts in cloud-native software.
- We recommend using cloud-native detection and response (CNDR) to detect fileless malware attacks. CNDR is built on top of Tracee, with information about sequence of actions taken by applications and users, which CNDR classifies as abnormal.
- If any application or user activity matches any behaviour stream signature, CNDR detects and stops that behaviour and warns the users of incidents by an incident report. Examples for behavioural detection include identifying and alerting events such as deletion of system logs, DDoS tool usage, kernel module loading, and so on.
With Tracee, there are more than 10+ default rules whereas with CNDR there are 100+ security signatures. These behavioural indicators are based on actual observed cloud-native attacks in the real world.
This limits attackers' ability to gain an early foothold and helps prepared for the next log4j or spring4shell zero-day vulnerabilities. You need a way to detect sophisticated threats that can gain a foothold in your environment and evade detection.
Fileless malware threats are evolving and discovered more often than ever before. It's important to stay up-to-date in identifying malicious behaviour (signatures) defined by security research experts to help you prevent and stop real risk.