Cyber security experts have noticed a spike in fileless malware attacks, which take advantage of the trust factor between security software and genuine, signed Windows applications. As they leave no trace in the system, ensuring a zero footprint in the computer system, it is difficult to notice the presence of the malware attack.

“Because this type of attack is launched through reputable, trusted executables, these attacks are hard to detect,” Internet security solutions firm McAfee Labs said.

It says the rapid rise of such attacks is a cause for concern. Unlike in traditional attacks where hackers sneak into systems by launching malware applications, fileless malware attacks do not install any software on a user’s computer.

“This makes a successful attack extremely hard to detect. Both consumers and corporate users can fall victim to this threat. In corporate environments, attackers use this vector to move laterally through the network,” McAfee points out.

Cyber security expert, Debasish Mandal, says CactusTorch is an example of a ‘fileless’ threat. It adopts the DotNetToJScript technique, which loads and executes malicious applications straight from memory. “These assemblies are the smallest unit of deployment of an application, such as a .dll or .exe. The malware does not write any part of the malicious .NET assembly on a computer’s hard drive,” he points out.

This makes traditional file scanners ineffective in detecting these intrusions. “We have seen a rapid growth in the use of CactusTorch this year. This can execute custom shellcode on Windows systems,” he says.

Many fileless malware campaigns have leveraged Microsoft PowerShell to launch attacks in memory, to create a back-door into a system. “What’s interesting is the number of variants discovered,” he says.

Related Topics