Non-Malware (or Fileless) Attack: five knowledge points

Since May this year, WannaCry extortion software in the global outbreak, there have been Equifax experienced large-scale data leakage incidents, etc., the network security situation is very urgent, enterprises in the investment of new policies and safety products, the pressure doubled.

However, even if the increase in security budget, there are still many companies worried that the existing technology can not keep up with the rapidly changing threat situation. Companies are particularly concerned that more and more attacks will gain access to enterprise systems, secretly infect the system without having to download malicious programs or leave obvious traces, which is the so-called “Fileless attack.”

“Fileless attack” is also known as “non-malware attacks.” The bottom line of action for this type of attack is to use the trusted software and system tools for the victim’s enterprise to avoid detection. Such attacks quickly became the primary threat to IT and security experts.

Enterprise executives should understand the following five key knowledge points:

1, “Fileless” attacks mainly use traditional endpoints

Traditionally, cyber attacks involve malware, where attackers use malware to access the victim’s computer (which typically exploits software vulnerabilities or trickers to download files) and then installs a destructive executable attack.

From the point of view of the attacker, the problem with this approach is to be easily detected by anti-virus solutions. Without malicious files, attackers can easily bypass these security solutions, and attackers simply hijack other legitimate system tools and trusted applications to engage in illegal activities.

2. A large number of “Fileless” technology for attackers to use

High-level attacks can be divided into two main phases: the initial attack phase (access to the target system) and the exploits after the exploits (the activity that the attacker enters the system).

Attackers can use the “Fileless” technology in these two stages to achieve the goal, in order to avoid the traditional, and even the next generation of machines to learn anti-virus software.

In order to obtain initial access, an attacker exploits, for example, an attacker who uses a repaired Apache Struts vulnerability to execute a malicious command in the Equifax data disclosure case. Commonly used “Fileless” technology is the use of defective applications, and the code into the normal system process, access to access, and the implementation of orders in the target device, and will not be aware of. Once the initial attack is complete, the attacker can abuse the powerful system management tools (such as PowerShell, PsExec, and WMI) to avoid detection. With legitimate use cases, attackers can hide in the “broad daylight” under the right, in the network horizontal activities, and modify the registry to maintain persistence.

3. “Fileless” attack to attack with the implementation of documents

People often misunderstand “Fileless” attacks and think that it does not involve files. However, this is not the case, such attacks will usually use the file in the initial attack phase, the biggest difference is that these files are not malicious executable files, but documents such as Microsoft Office documents.

The challenge of traditional endpoint security is that the files themselves do not have malicious features, so security scans are like useless, and these files become the perfect tool for attacking.


For example, an attacker may begin to trick an employee from opening a Word document in a phishing email, and the victim may have no intention of activating the macro or script, and the macro or script will then enable PowerShell. After that, the attacker will use PowerShell to directly execute the malicious code in memory, so that the attack to the “Fileless” of the road.

Because the components of such attacks are not malicious, security solutions need to be able to observe the behavior of the chain of attacks and identify when other attacks from other legitimate procedures to attack.

4. “Fileless” attacks more and more

In fact, “Fileless attack” technology has been around for some time. For example, the beginning of the 21st century there has been memory exploits: Code Red and SQL Slammer worms. However, creating and widely disseminating easy-to-use attack tools and exploit tools makes “fileless” attacks more common, especially Metasploit and PowerSploit penetration testing frameworks are vulnerable to abuse because they provide off-the-shelf “no file” To implement any attack.

Therefore, such technology is not limited to skilled hackers and national espionage organizations, ordinary cybercriminals have gradually used a large number of “Fileless” technology to attack enterprises. “SANS 2017 threat situation survey” shows that nearly one-third of the surveyed companies reported a “fileless” attack.

5. How to prevent “Fileless” attacks?

Although “Fileless” technology is good at avoiding detection, there are still ways to reduce risk.

First, companies should disable less commonly used management tools. Or at least restrict permissions and functions. Because many “fileless” technologies rely on PowerShell, businesses should consider disabling or limiting its functionality.

Similarly, disabling Office macros eliminates the most common starting point for “Fileless” attacks. Enterprises should promptly repair the operating system and applications, repair is not feasible, the enterprise should isolate these systems to prevent potential attack spread.

Enterprise IT departments should identify malicious activity and behavior on the endpoint to detect and block “Fileless” attacks. There are new endpoint solutions that can prevent “fileless” attacks in real time, and IT and security executives should study new endpoint solutions and choose the most appropriate security solution.