There’s some malicious code stored somewhere on one of the computers on our company’s network. Whenever the computer is on, the code starts to gather information about other employees’ credentials, as well as administrator permissions across the network. It then seeks out the company’s most valuable assets and makes a beeline for them. Once it has found what it was after, it begins the process of gathering all this sensitive information. And worst of all, the company’s cybersecurity solution hasn’t picked up on the installation of any files that could be considered a threat. The code that wrought so much damage on the company has disappeared, slipping away without a trace.
This nightmare situation is real. These Advanced Volatile Threats (AVT), better known as fileless malware, first appeared on our radar over a year ago. As we explained back then, this kind of threat is designed not to write onto the hard drive. Instead, it works from the memory, the RAM, for example. This lack of files on the hard drive makes it impossible for traditional protection systems to detect the threat, and presents a series of cybersecurity challenges. So, how is it that they can cause so much damage without using files? In many cases, one of the main attack vectors that it uses is PowerShell.
The perfect vector
PowerShell, the Windows system console (CLI), is the perfect attack vector for fileless malware. PowerShell allows systems administrators to fully automate tasks on servers and computers. As such, if cyberattackers manage take control of it, they can gain many permissions on the company’s system, something that would allow them to introduce more malware unhindered. What’s more, PowerShell goes beyond Windows; it also allows users to control certain applications such as Microsoft Exchange, SQL Server and IIS.
With all these capabilities, fileless malware usually leverages PowerShell to introduce its malicious code into the console, lodging itself in the RAM. Once the code has been executed in PowerShell, it becomes a “lateral” attack vector on corporate networks, i.e., it propagates from the central server rather than opting for external input.
Since there is no trace of the code on the hard drive of the first computer infected by the malware, Windows Defender and many other traditional security solutions fail to detect the attack, except under heuristic monitoring systems that are run frequently.
How to counter fileless malware
The first line of defense against fileless malware is very simple, though it may not work for all organizations and corporate networks: disabling PowerShell if it is not necessary to administer systems. This can only be the case if the administrator is using another kind of tool to automate their tasks. In these cases, not enabling PowerShell would be the best form of protection.
If the administrators’ habitual use of PowerShell means that it cannot be disabled, the second measure is to make sure that the organization’s computers and network are running the latest version of PowerShell. Here, PowerShell 5 has additional security measures for Windows.
Another step that can be taken is to enable only certain features of PowerShell, which is what Constrained Language mode does. This can stop potentially dangerous actions such as arbitrary calls to Windows APIs or deactivation of certain macros, but won’t stop all kinds of attacks.
On the other hand, Microsoft has introduced more and more advanced features in PowerShell logging, that is, the automatic transcription of commands, especially for actions that turned out to be a symptom of a cyberattack. Enabling these transcription features can help companies to carry out these forensic tasks when they suspect that there has been a fileless malware attack.
Finally, it is vital that companies have advanced cybersecurity solutions. Panda Adaptive Defense uses preventive technologies such as permanent antimalware services, which are possible thanks to the use of big data and machine learning to detect attacks based on anomalous behaviors. Our behavioral analysis technology and IoA (scripts, macros etc.) detection allows organizations to get ahead and to stop unknown processes, such as those that can generate fileless malware, from running.