How does this fileless malware attack occur?The big picture involves taking control of legitimate Windows tools like PowerShell and Windows Management Instrumentation (WMI) and then undertaking nefarious activity at the command-line level. The sneaky part is that since PowerShell is such a trusted component of Windows, most security scans don’t check it. Meanwhile, once in the system by following the path of least resistance, the perpetrator can retrieve sensitive data and migrate to other machines on the network at their leisure.
Why fileless malware now?The reason sophisticated cyber criminals have shifted their focus away from popular malware strategies like brute force automated login attempts or sneaky spear phishing schemes is simple: traditional antivirus and anti-malware security aren’t even looking where these fileless malware attacks are going. They aren’t designed to stop this kind of thing. The AV suite on your computer is trained to sniff out trouble when one thing happens – a file is written. Does that mean traditional AV suites are useless in detecting this new type of computer takeover? Yep, that’s exactly what it means. There’s a good chance that once either PowerShell or the WMI is compromised, an attacker can sit there undetected for however long they like, pilfering data at their convenience.
Steps to protect yourself against fileless malware attacksDespite the claim surrounding this brand of malware as being undetectable, let’s get it out there that it’s not literally undetectable. It just seems so when compared to previous malware iterations. The steps below aren’t foolproof but do provide a layered, systematic security approach that should minimize risk to your organization.
- Disable PowerShell and WMI if you’re not using them.
- Disable macros if you’re not using them. If you are, digitally sign and use only those vetted specifically for the company. No signature means don’t use it!
- Regularly check security logs for inordinate amounts of data LEAVING the network. Hint: it could be going to a bad guy.
- Look for changes in the system’s usual behavior patterns when compared against baselines.
- Update your software regularly.