On non-malware, fileless attacks

It is spring again, and it is time for reports on IT Security or in-Security in 2016.

One thing caught my eye this year, and I am not sure if it is a trend, just a coincidence or my susceptibility: I noticed a comeback of fileless malware, also called counter-intuitively “non-malware”. This is malware which does not install itself on the filesystem of the target machine but instead can load part of itself in memory (RAM), uses tools of the Operating System (PowerShell, WMI etc.) and local applications, hides parameters and data for example in the Widows Registry.

Actually there is nothing really new here, the very old “macros viruses” were of this type. What has changed is that today personal computers and servers run for very long time (very few people switch completely off their computers daily, usually personal computers are just set to “sleep”), which gives a much longer persistence to this type of malware. Obviously fileless malware is more difficult to write and to maintain, but it is also more difficult to identify, that is it has more chances to escape detection by anti-malware and anti-virus programs. Moreover also pure behavioural analysis can be fooled by this type of malware, since it can use standard tools of the machine performing tasks just a little bit out of the ordinary. On the other side, in case of infection the malware is anyway present on the machine, so anti-malware tools have just to look better to find it.