Detecting fileless malware infections is becoming easier

For some analysts, memory analysis is only an optional step in cybersecurity investigations.

Their reasons are simple. One: Handling memory and volatile data is a complex endeavor, made more difficult by legacy tools. Two: The average analyst is a highly educated individual but is generally not an expert in memory architecture. That knowledge is often reserved for systems engineers. And three: The few analysts who do possess that expertise are writing code or concentrate on threat hunting. For analysts, these tasks are the preferred and more productive alternative to memory analysis, a process that traditionally features a poor user experience and requires hours to complete.

These challenges should not discourage security teams from collecting and analyzing memory both proactively and in response to cyber breaches. By neglecting memory analysis, they risk exposing their systems to fileless malware — a threat that will silently collect valuable information and allow attackers to move laterally between systems while leaving no footprints for incident response tools to identify.

Fileless malware evades widely used endpoint security solutions

When they’re under pressure after a threat has been detected, the instinct many security teams have is to immediately focus on containing it by shutting down and isolating systems. The National Institute of Standards and Technology (NIST) disagrees with this approach, describing memory collection as an important step that should take place at the beginning of most incident response investigations.

Without memory analysis capabilities, security teams would be hard-pressed to identify fileless malware because it differs from traditional malware in how it breaches systems. Fileless malware gains access and avoids detection by using hidden scripts and tools that are already built into the target systems.

This tactical change allows infections to slip by the endpoint detection and response (EDR) and extended detection and response (XDR) tools and endpoint protection platforms (EPP) that many organizations deploy today. Fileless malware exploits their blind spot: they are constantly scanning disks for threats, but not system memory.

These tools can still be useful if they’re reconfigured to warn analysts every time programs like PowerShell are accessed by employees (any use by employees who aren’t in the IT department or a developer team should be considered suspicious). But even then, this strategy can only hint at a potential problem – it can’t confirm there’s one.

Antivirus solutions won’t help either, and without a chain of evidence developing at the file level, a full digital forensic analysis won’t uncover the threat. What security teams are left with is a scenario where fileless malware goes undetected for months or even years.

We’ve already seen this unfold with SockDetour, a fileless backdoor that was used on systems belonging to U.S. defense contractors. SockDetour hijacked network connections on Windows servers through the Microsoft Detours library package and was able to avoid detection for two years.

Fileless malware is evolving and becoming more popular

Every few months, researchers discover a new evolution of fileless malware. Before SockDetour, Prevailion found fileless malware using the Windows Registry for storage to evade antimalware engines. Long before both, there was The Dark Avenger and Frodo using similar techniques in 1989.

It’s not difficult to see why fileless attacks are gaining in popularity. In its Q1 2022 Internet Security Report, WatchGuard Technologies revealed that 88 per cent of all malware detections are linked to scripts. PowerShell represents 99 per cent of detected incidents, the company said.

Modern approaches and solutions

The only way to detect and confirm the presence of fileless threats is to analyze the code running in memory. Memory analysis allows security teams to identify fileless malware, recover valuable intelligence about how it was deployed and determine the damage caused.

There are new approaches that solve some of the issues analysts have had in the past. Among them is the decision to focus on the recovery of crash dumps instead of full memory dumps. The former requires hours to complete and involves collecting a lot of data that will end up being useless in an investigation. With crash dumps, memory recovery can be completed in minutes.

An even faster solution would be to leverage minidumps generated by Microsoft Process Explorer, ProcDump and EDR agents to target a specific suspicious process for acquisition.

With crash dump and minidump recovery being so efficient, security teams can run continuous compromise assessments. Proactively searching for and uncovering fileless threats eliminates the main danger they pose in being able to slip past detection, digital forensics and incident response solutions.

The proactive approach should also extend to how security teams prepare themselves to deal with fileless threats. With a memory analysis solution, they’ll be able to run blue and purple team drills to develop a detailed incident response strategy they can put into action when a fileless threat is detected.

Analysis is also more streamlined with security teams being able to leverage indicators of compromise to threat hunt. One method involves the use of hashes of the executable sections of binaries in memory to search for memory-based IOCs. Another involves assigning MITRE ATT&CK tags to SQL-like queries to provide more clarity in the results.

More than identifying and analyzing current threats, memory analysis unlocks the ability for security teams to retro-hunt. When security teams become aware of a new indicator of compromise, they can analyze their previously acquired memory snapshots and determine whether the same attacker has targeted them in the past and how they did so. If they’re trying to exploit the same vulnerability, security teams will understand they need to change their current approach and begin to take the necessary steps to do so.

Lurking fileless threats alone should warrant the implementation of memory analysis into regular workflows. While the concerns of security teams with past approaches to memory analysis are valid, innovative solutions have significantly improved the user experience and accelerated the collection and analysis process. Continuing to disregard memory analysis at this stage would only serve to do them more harm than good.