Hiding in event logs and memory, fileless malware avoids AV

“Please find attached the Payments Report for 04/27/2022,” read an email recently found by Fortinet Fortiguard Labs, the threat intelligence platform and research wing of the California-based cybersecurity tech provider Fortinet.

The attachment, no surprise, surely, to security-minded readers, was an infected Excel document where the undisclosed target could, in fact, please find three kinds of malicious code attached.

The Fortinet discovery is an example of fileless malware – intrusive software that can dodge signature-based antivirus tools by hiding out not in files, but in memory.

Fileless malware uses a system’s legitimate processes, tools, and scripts to conduct a cyber attack.

The payments report, for example, executed code via the native Microsoft configuration tool PowerShell, according to the Fortinet report. With a cross-platform shell and scripting language, PowerShell allows the automation of commands like ending a user session, sending a pop-up message, deleting a file, or in the case of the Fortinet findings, deploying malware.

With fileless malware, there’s no file for antivirus tech to detect.

“Most of your antivirus programs, they’re looking for something that's written to the disk. And that’s what they check,” said Erich Kron, a security awareness advocate at Florida-based training provider KnowBe4. “When it runs in memory, they don’t ever see it. So it’s a very clever and very easy way to bypass most of the anti-malware, antivirus [tools].”

They’re Macro-ly Malicious

The Excel add-in (.xlam) file found in the Fortinet-reported attack contained malicious versions of the automated programs known as macros. When opened in Microsoft Excel, the program will ask if the user wants to enable the macro (don’t enable the macro!), activating the fileless malware, which adds tasks into the system task scheduler that remain on the victim’s device.

The payments report, which arrived from a believable-enough “accountpayable” email address, is just one of the instances of fileless malware seen this week.

A New Malware Hideout: Event Logs

In early May, Kaspersky Labs uncovered an attack that injects shellcode into Windows event logs. The Kaspersky findings demonstrated the specifics of the sophisticated hack and its initial step: First observed in September 2021, an attacker convinced an undisclosed user to download—and run—a .rar  from the legitimate site file.io. Once the .rar is downloaded, the legitimate OS error handler WerFault.exe module is compromised to inject shellcode snippets into event logs, which are then found, reassembled, and executed through PowerShell.

“We consider the event logs technique, which we haven’t seen before, the most innovative part of this campaign,” Denis Legezo, lead security researcher Kaspersky Labs, wrote in the report.

Beware the Unusual

To protect against the stealthy attacks, organizations must train their employees to recognize fraudulent emails—a common vector for fileless malware. “It comes in through phishing, most often,” said Kron.

Endpoint security products also increasingly support behavior-analytics capabilities that monitor anomalous behavior, like if a computer starts to do an unexpected network scan, according to Kron.

“When you’re looking for tools to purchase or you’re looking for products, make sure that they look for some of these behavior analytics or unusual patterns that go on in there,” he said.—BH