Just when you thought it was safe to go back in the water! No, this isn’t a Jaws reference, it is a cry to beware of those applications you thought were safe. You believe these apps are safe because they come from your most trusted software providers such as Microsoft and Adobe, but it turns out that cyber criminals love to take what is safe and use normally accepted safe practices to launch memory-resident malware. Called “fileless malware”, or “in-memory attacks”, this approach leaves a very small footprint from with to protect against.
How Can Malware Be Fileless?
Defined most simply, fileless malware is malicious code that exists in a computer’s memory (RAM) or kernel and doesn’t depend on file storage to wreak havoc. These malicious artifacts can come from seemingly safe use of standard programs like Adobe Acrobat communicating with Microsoft PowerShell to plant cyber threats directly into RAM. The good news is that these artifacts are usually purged with a reboot. The bad news is that you usually don’t know they are there so have no need to reboot. According to a Wired article by Lily Hay Newman titled “Say Hello To The Super-Stealthy Malware That’s Going Mainstream”:
“So-called fileless malware avoids detection by hiding its payload in secluded spots, like a computer's random-access memory or kernel, meaning it doesn't depend on hard drive files to run. The technique first surfaced a couple of years ago, as part of a sophisticated nation-state reconnaissance attack, but has experienced a recent surge in popularity.
…What makes the attack so insidious is that it inhabits parts of the computer architecture that are difficult for normal users to even navigate to and access, much less interact with. While it's possible to eliminate the threat, many organizations aren't even focused on spotting it in the first place yet.”
How Bad Can It Be?
According to a CSO article “Fileless attacks are effective. According to the Ponemon Institute's "The State of Endpoint Security Risk Report," 77 percent of compromised attacks in 2017 were fileless. The report estimates that fileless attacks are ten times more likely to succeedthan file-based attacks.”
Preventing Fileless Malware
In order to prevent fileless malware attackes, you will need an advanced cyber threat prevention solution that looks beyond just files to OS-level, CPU. Solebit’s SoleGATE uses a static analysis which is faster, more accurate, not OS version dependent and covers 100% of your code, with complete visibility. With SoleGATE, every line of code is evaluated, making Sandbox evasion techniques ineffective. The platform is agnostic to file type, client-side application type, or the client operating system used within the organization. Unlike a Sandbox which has to simulate specific customer environments, SoleGATE provides protection regardless of operating system, CPU architecture, and function (client, server) of the targeted machine.
SoleGATE provides seamless prevention across all environments with no dependencies or customizations. The solution is agnostic to client applications or operating systems.
Using deep inspection and analysis methods, SoleGATE is able to interpret and detect code in real time and immediately block threats from penetrating your organization. DvC™ has no assumptions on threat heuristics and behavior and assumes that there is no legitimate reason for executable code to be present in a data file, it relies solely on identifying code existence on non-executables files. Bottom line is that you will finally have safe content!
Check out this whitepaper on an evasion-proof approach against modern cyber attacks that can keep your content safe. It will outline how to strengthen your cyber defenses dramatically by preventing attacks before they enter and harm your organization, your customers and your brand. Remediation is costly, prevention is not.