The Who, How, and Why Behind Fileless Attacks

By Yahav Levin

Notoriously difficult to detect, fileless malware uses system tools and in-memory execution techniques to do its damage. With fileless malware, adversaries don't have to create or install special tools to bypass defenses, conduct reconnaissance, deliver payloads, or execute malicious activity. Overall, fileless malware attacks increased 265% in 2019[1].

Fileless attacks have traditionally abused Windows OS tools or processes, but in December 2019, a fileless was detected. They contain malicious code hiding in memory of legitimate applications. And unlike file-based malware that is dropped to disk and run from the hard drive, fileless attacks are executed right from system memory. This characteristic makes it impossible for legacy, signature-based antivirus solutions to detect fileless attacks and to blacklist them. Although EDR solutions are increasingly built to detect these attacks, adversaries often evade those defenses as well.

The following list is a small sample of what's in the wild.  By understanding how they are used­—and by whom—you can defend against them. Additional details about each can be found at the MITRE ATT&CK Framework. 


PowerShell

PowerShell has been a mainstay of malware attacks for many years. Virtually every APT group uses it to download and execute payloads, install back doors and other tools, move laterally, escalate privileges, and conduct reconnaissance.

 

BITSadmin

The Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, file-transfer mechanism commonly used for background tasks such as updates and message delivery. Because BITS tasks are self-contained and don't require new files or registry modifications, firewalls usually permit them. Adversaries abuse BITS to download, execute, and clean up after running malicious code. BITS can be used to exfiltrate data, download backdoors and malicious payloads, download additional attack tools for lateral movement, and maintain persistence on a system.

The Leviathan cyber espionage group typically uses BITSadmin as it targets defense and government organizations, engineering firms, shipping and transportation, manufacturing, and research universities in the United States, Western Europe, and China. Tropic Trooper is another threat group that often uses BITSadmin in attacks on targets in Taiwan, the Philippines, and Hong Kong. 

 

MSBuild.exe

Microsoft Build Engine (MSBuild.exe) is a developer utility that uses XML-formatted project files defining requirements for building various platforms and configurations. As a signed Microsoft binary, attackers use it to bypass application whitelisting defenses and insert code into XML files or execute arbitrary code. Attacks built on the Empire open source remote administration and post-exploitation framework and the PlugX remote access tool (RAT) commonly use MSBuild.exe. Many different APT groups use this technique. Chinese threat groups such as APT3, MenuPass, Threat Group 3390, SoftCell, and others are well known, as is DragonOK—a threat group that has targeted Japanese organizations with phishing emails.

 

WMI

Windows Management Instrumentation (WMI) is a Windows feature that provides a uniform environment for local and remote access to Windows system components. For adversaries, it's a convenient tool for bypassing user account control, dumping credentials, obfuscating data, disabling security tools, copying files remotely, tainting shared content, enabling lateral movement, and delivering payload. WMI has been used in many infamous ransomware attacks, such as Olympic Destroyer, RobbinHood, NotPetya, and WannaCry. Trojans, such as Astaroth and Emotet, use WMI to execute payloads and other files. Chinese threat groups known for abusing WMI include Soft Cell, Deep Panda, and APT41, while Russian (APT29), Iranian (OilRig), North Korean (Lazarus Group), and cyber crime groups (FIN6) also make extensive use of WMI.

 

Runonce

Runonce abuses Windows Registry keys created by default on Windows systems. The fileless attack technique adds entries to "run keys" in the Registry or startup folder, causing malicious programs to run under the context of the user and his associated permissions. Registry run key entries can reference programs directly or list them as a dependency. Adversaries use Runonce to establish persistence, execute malware, and "masquerade" Registry entries to look like they are associated with legitimate programs. APT groups from China, Russia, Southeast Asia, Pakistan, Iran, and other countries have used Runonce tactics extensively via malware variants. Well-known variants include Carbanak, Cobalt Group, Emotet, Leviathan, Machete, TrickBot, XBash, and Zeus Panda.

 

Simulate Fileless Attacks to Boost Defenses

Cymulate simulates fileless attacks like those launched by real adversaries, using legitimate tools to run malicious commands. In each simulation, you receive results tagged to the MITRE ATT&CK Framework, where you can learn more about each threat. Cymulate goes beyond reporting to also provide you with additional guidance on mitigation, detection, and analysis.

Learn more—read about Testing Security Effectiveness with the MITRE ATT&CK™ solution brief, or by signing up for a free trial today.

Start a Free Trial

[1] Fileless Malware Detections Soar 265% in 2019, Infosecurity, August 30, 2019

Subscribe to Our Blog

Stay up to date with the latest cybersecurity news and tips