« Back to Blog

Cylance vs. Fileless Malware

By The Cylance Team

Fileless, Malwareless, In-Memory Malware… regardless of what trendy names these attacks are given by the press, they all share the same attack characteristics. Generally speaking, these attacks do not write files to disk, but rather, they exist and operate solely within system memory. They often utilize common admin tools such as PowerShell that are widely available yet rarely controlled on most enterprise systems. As a result, these attacks are often called ‘living off the land’ attacks as well.   

Today’s Threat Spotlight blog by the Cylance Threat Guidance team highlights the technical details of two such malware families. Our endpoint protection product CylancePROTECT® uses artificial intelligence and machine learning to easily thwart these types of attacks in your enterprise.

Introduction

Fileless malware is relatively sophisticated to build and deploy, and as a result, it is still relatively rare to encounter in the wild, but still poses a very real threat. It differentiates itself from most other malware by not leaving files on disk – hence its name. Instead, it uses a variety of tricks to stay resident in memory and execute commands that already exist on the machine.

Often, it uses a tool like PowerShell to coordinate the attacks and the use of a meterpreter payload that uses in-memory DLL injection stagers to set up additional attacks. As a result of not writing files to disk, it poses a very unique challenge to traditional security products that rely on inspecting files on disk in order to match a detection to a signature.

Fileless Malware is Here to Stay

Two families of fileless malware, Poweliks and Kovter use similar techniques to infect a system. First, JavaScript code is written into the registry under the Run key along with an AutoRun entry that is used to read and decode the encoded JavaScript. In the second stage of the attack, PowerShell is used to decrypt and inject a malicious .dll into a standard Windows process. This technique allows the malware to stay resident in memory and to evade traditional antivirus defenses.

CylancePROTECT Stops Fileless Malware

While most fileless attacks still rely on spam or spear phishing as the initial attack vector, we know that it is simply not realistic to block all email attachments in enterprise environments. Security controls should not be so restrictive that they compromise business operations, nor should they cause employees to attempt to circumvent them in order to carry out basic job duties like reading email.

CylancePROTECT uses multiple protection elements to stop this type of threat before it causes any damage. CylancePROTECT memory defense provides protection against process injection attack techniques, and the script control provides robust protection to prevent malicious scripts being used in concert with PowerShell.

If you don't have CylancePROTECT, contact us to learn how our artificial intelligence based solution can predict and prevent unknown and emerging threats before they ever execute.

Tags: