This year 2016, fileless malware has been proliferating at a high rate.
In-memory attacks are what they use to attack computers and has created a growing class of “non-malware.”
Malware developers have spent a lot of time and energy over the years to scramble, complicate and obfuscate their coding in order for their malicious files to avoid being detected. This year, they have tried a new scheme altogether. They are now running the attacks in memory instead of downloading the file and running it.
Fileless malware is not a revolutionary approach, but 2016 certainly saw a dramatic rise in this type of attack as the criminals worked to perfect it.
This last quarter of 2016, there was a 33% rise in severe non-malware attacks compared to first quarter.
One method they are employing is that they take advantage of Windows PowerShell and Windows Management Instrumentation (WMI). If they can put a food in using the two above mentioned programs, the rest is easy.
Carbon Black researchers note that PowerShell and WMI non-malware attacks shot up by 90% in second quarter of 2016 and are at their highest levels as we speak. In fact, they note that reports show that the Democratic National Committee (DNC) hack earlier this year used a fileless attack that leveraged both PowerShell and WMI in order to get a foot into the door of the political party’s systems.
High-profile anecdotal stories like this are adding up and security researchers across the board are bringing to light an increasing number of cybercriminal campaigns taking advantage of fileless attacks. Most recent was a report from Proofpoint earlier this month which examined a November attack campaign involving the August malware variant. Proofpoint researchers say attackers were able to use Office documents weaponized with malicious macros that trigger PowerShell to ultimately load August onto the machine as a byte array.
“The malware itself is obfuscated while the macro used in these distribution campaigns employs a number of evasion techniques and a fileless approach to load the malware via PowerShell,” Proofpoint’s researchers wrote. “All of these factors increase the difficulty of detection, both at the gateway and the endpoint.”
Heading into 2017, most security researchers don’t expect this trend to slow down. According to those with Symantec, the industry should get ready for criminals to make the most of these attacks in the coming year.
“Fileless infections are difficult to detect and often elude intrusion prevention and antivirus programs,” says Brian Kenyon, chief strategy officer for Symantec. “This type of attack increased throughout 2016 and will continue to gain prominence in 2017, most likely through PowerShell attacks. ”