New warning: Super-stealthy fileless malware on the rise

Super-stealthy, fileless malware is increasingly being used to defeat cybersecurity systems, according to a new government warning.
AlphaBay operated for three years as a marketplace on the Tor network, rising as a leader among dark web marketplaces due to its speed, reliability and availability of goods that separated the site from its competitors. (Flickr)

Super-stealthy, fileless malware is increasingly being used to defeat cybersecurity systems and allow hackers to gain control of heavily guarded computer networks — and most organizations aren’t equipped it to detect, let alone defeat it, according to a new government warning.

“We assess most organizations are not currently equipped to defend against these tactics,” states the New Jersey Cybersecurity and Communications Integration Cell in a recent public bulletin. The warning cautions that fileless or “non-malware” attacks could be used by cyberspies or those bent on theft or data destruction — as distinct from those cases where it has previously been employed in financial cybercrime.

The New Jersey cell states it has “high confidence that fileless and ‘non-malware’ intrusion tactics pose high risk to organizations, both public and private, and will be increasingly employed by capable threat actors intent on stealing data or establishing persistence on networks … to enable future acts of sabotage.”

The warning comes as researchers from Russia-based Kaspersky Lab  — in the Caribbean this week for their annual security analysts’ summit — revealed more details of the fileless attack they first discovered last year and reported in February. Hackers used the system access they got from the attack to milk ATM’s at two Russian banks of $800,000 in a single night, Sergey Golovanov and Igor Soumenkov told the summit in St. Martin.

Sergey Golovanov and Igor Soumenkov, security researchers at Kaspersky Lab, present findings this week. (source: Kaspersky)

Fileless attacks avoid installing any files on the hard drive of the targeted computer. Conventional malware is loaded in the same way any other software application is — a program called an executable, with a .exe file extension, is downloaded and installed. By contrast, fileless attacks typically make use of powerful and widely trusted system admin and security tools — including PowerShell, Metasploit, and Mimikatz — to inject their malicious code directly into the computer’s working memory. With nothing on the hard drive, conventional anti-virus tools won’t detect the attack, since they typically work by scanning the hard drive for malicious code.

The New Jersey warning says that, to defend against fileless attacks, “organizations must first adopt a comprehensive cyber-risk management framework and implement robust cybersecurity best practices and defensive measures.” To aid detection and forensics, “organizations will need to employ enhanced logging, monitoring, and analysis of all network, host, and user activity,” as well as a set of other mitigations. “To do so, enterprises may need to procure third-party products and managed services that include capabilities such as full system endpoint protection with memory and registry monitoring, behavioral analytics, next-generation firewalls, and email content inspection,” the warning states.

Golovanov said the banks who were the first targets of the attack they identified had no idea what had happened after the theft. “The bank’s forensics specialists were unable to recover the malicious executables,” he wrote.

Fileless malware “resides solely in memory and commands are delivered directly from the Internet, with no executables on disk, making it basically invisible,” wrote researchers at Israeli cyberdefense firm Morphisec last month.


These characteristics lead some security researchers to label such attacks “non-malware.” And cybersecurity company Carbon Black said in February that “2017 may become the year of non-malware attacks.”

The Morphisec researchers said they believed that the same group of hackers was behind all three campaigns using fileless attacks, discovered this year by Kaspersky Lab, FireEye and Cisco Talos.

Kaspersky researchers said the lack of a forensic trail and the use of common open source tools makes “attribution almost impossible,” but noted that some of the tactics used in the fileless bank attacks were similar to techniques employed by the Carbanak and GCMAN financial cybercrime threat actors.

FireEye also noted links between Carbanak and FIN7, which is its codename for the group behind a fileless attack against business executives involved in SEC filings for their companies.

The Kaspersky researchers said that although the attackers had covered their tracks very effectively at the banks they robbed, they were eventually able to recover samples of the software used to takeover the ATMs from two other banks that had been attacked — one in Russia and one in Kazakhstan. The samples appear to have been compiled by Russian-speaking hackers.


One of the lines of code, commanding the machine to spit out cash, is followed by the english instruction: “Take the money, b*tch!”

Latest Podcasts