close banner

Hackers use their understanding of antivirus tools and how companies operate to take advantage of blind spots in network visibility and time lapses in protection. They get around threat detection software with approaches that don’t trigger traditional cybersecurity software.

CrowdStrike’s 2022 Global Threat Report found only 38% of attacks involved traditional malware, whereas 62% were identified as hands-on-keyboard attacks.

How are they attacking without malware?

Hackers have moved on to something called Fileless Malware.

Fileless malware uses tools built into the environment like SSH or Microsoft Windows PowerShell to launch an attack. Instead of touching the hard drive, the fileless malware is memory-based, executing in RAM and going undetected by traditional antivirus technology that looks for signature malware files.

This technique is called LOTL or “Living off the Land” These attacks usually take advantage of areas that traditionally struggle with visibility, like cloud applications and endpoints. According to an article shared by TechTarget, endpoints are today’s number one entry point for cyberattacks.

Fileless malware attacks are becoming much more common and circumvent most of the endpoint protection and detection tools deployed today.  – Gartner security analyst Avivah Litan

Let’s look at a few examples of how these attacks begin.

How does a fileless malware attack begin?

Like traditional malware, fileless malware looks for vulnerabilities to exploit – the difference is how the malware is delivered. The three most common tactics used in fileless malware attacks are phishing, command-line changes in whitelisted applications, and pharming.

Phishing is one of the most frequently used ways for fileless malware attacks to take root. Phishing happens when the target is tricked into clicking on a link or attachment in an email. The threat actor pretends to be someone within the organization and usually expresses urgency and applies pressure to get a faster response.

Trusted Command-Line Applications already installed and whitelisted like JavaScript, VBScript, Windows Management Instrumentation (WMI), SSH, or PowerShell provide the perfect environment to inject malicious scripts within legitimate ones and begin lateral infiltration. Command-line applications are usually whitelisted and not monitored.

Pharming happens when an individual is redirected from the intended website to an IP address controlled by the hacker through DNS manipulation. These copycat websites scan for weaknesses in plugins to exploit. The site then injects malicious code into the browser’s memory where it is not detected.

Here’s an example of two websites, one fake and one legitimate. It’s challenging to detect fake sites with just the human eye. This is why fake websites are so effective and why it’s critical to have a security platform with supervised modeling that can peak into packet dynamics to classify malicious websites quickly.


fake website designed for filesless malware attack

The Ponemon Institute found that fileless attacks were 10x more likely to succeed than file-based. This is primarily due to legacy antivirus tools’ inability to detect this type of malware.

Let’s take a look at how fileless malware attacks work, in this case with a successful phishing attempt:

fileless-malware diagram
Image Source

Why can’t traditional antivirus and cybersecurity tools detect fileless malware?

Most monitoring tools cannot detect command line changes which means a hacker using PowerShell bypasses detection.

Signature-based endpoint detection is an exhausting game of catch-up. Kaspersky reported finding up to 380k malware files a day in 2021 – keeping up with new signatures and updating and releasing patches to cybersecurity solutions means constant maintenance upkeep on the end-user side and opportunity for vulnerability gaps in between. This reactive method of keeping pace with new malware variants is not very efficient.

Not only does fileless malware not have a  signature to detect, but the opportunity has grown for these attacks to occur with the growing number of endpoints. The number of endpoints per organization has skyrocketed to accommodate the ever-increasing demand for remote or hybrid work options. If there is no visibility into these endpoints, the likelihood of catching a fileless malware attack is slim to none.

Remove blindspots with ThreatEyeNV

ThreatEye is a next gen NDR that can spot fileless malware attacks. ThreatEye has a keystroke mechanism that can identify keystrokes in active traffic. When hackers create reverse SSH shells, we track and classify the new encryption service tunneled activity, identify active keystrokes, characterize the relationship of the SSH activity, and correlate those findings to other behaviors using an event correlation engine (ECE). We scan across the network and look for indicators like a bidirectional connection to a port that was just scanned, indicating lateral movement.

The ability to monitor scripting engines and activities in the PowerShell is an indicator of a next-generation security solution. ThreatEye’s 100% detection rate of malicious websites keeps your organization safe, even when individuals aren’t using the best judgment.

Learn more about the capabilities of ThreatEye and schedule a Live 1:1 demo today.