Fileless malware makes a comeback
   Â
Cyber-criminals are adapting to keep pace with advances in security technology. One of these adaptations is what is being called fileless malware. This trend started a few years ago and started gaining significant prominence in late 2016. Fileless malware refers to malware that is designed specifically to not interact at all with the filesystem of the infected host. It is important for IT security pros to be aware of this because it impacts them in several ways.
   Â
First, it alters what to look for when analyzing malicious activity. Fileless malware has different characteristics from traditional malware and requires looking for different indicators. Second, it changes how to plan and execute their response to a malware infection. Fileless malware has been designed to circumvent many of the strategies that are typically used to clean an infection.
   Â
In order to prevent and clean fileless malware, we need to understand what it is. Fileless malware takes advantage of system tools such as PowerShell, macros, Windows Management Instrumentation, or any on system scripting functionality to propagate, execute and perform whatever tasks it was developed to perform. Since these tools are so flexible and powerful on modern operating systems, malware that employs them can do what traditional malware can do such as logging data to cryptocurrency mining or whatever else a system administrator can do. By design, the hackers will refrain from writing information to the filesystem since file scanning is the primary defense strategy for finding malware code. By keeping clear of the filesystem, there is nothing for the file scanning to detect. This gives an attacker more time before detection.
   Â
These attacks reside almost completely in memory, and use legitimate system administration tools to execute and spread, making determining what's legitimate PowerShell use and what's attacker activity very challenging. PowerShell is used by IT administrators to conduct a variety of tasks on a daily basis so heavy amount of PowerShell use wouldn't raise concerns. Since PowerShell is used so frequently, security professionals lack the time to review logs, note suspicious behavior and then investigate the incident. Another thing is that some features in PowerShell make it difficult to figure out when the tool is being used by hackers. For example, PowerShell 2, which is likely the most used version of the tool, generates event logs that can tell when the PowerShell engine was started and stopped, but doesn't provide much more information. This means that these logs can't be analyzed to determine if a malicious code was run.
   Â
In PowerShell 3, Microsoft added the option for manual module logging, which allows administrators and security products to determine script files were invoked and the corresponding parameters that were passed to them. Module logging has its shortcomings though, administrators and security products may not be able to handle the amounts of data it produces PowerShell 5 includes serious security improvements but they're not enabled by default and attackers can evade these features by downgrading to version 2.
   Â
A common misconception is that disabling PowerShell will prevent fileless malware attacks. Unfortunately, this approach will only make the jobs of IT professional harder. Microsoft has made PowerShell nearly essential to using any of its products. For example, starting with Exchange 2007, Microsoft designed a GUI that only allows users to complete common administrative functions. PowerShell is required to carry out less common functions. Additionally, all Microsoft products will eventually use PowerShell. If administrators become skilled in PowerShell, then they can manage most of Microsoft's newer products. Restricting PowerShell usage limits administrators' abilities to hone skills that could help their careers.