FILELESS MALWARE DETECTION

Fileless malware is particularly hard to detect because it resides in system RAM and exploits authorized system and administrative tools in ways that elude whitelisting and other common threat mitigation strategies.

BluVector Advanced Threat Detection™ includes the capability to rapidly analyze potential fileless threats before they could infect end-user systems or begin moving laterally throughout the enterprise network. BluVector’s analytic fileless malware tool, called the Speculative Code Execution (SCE) engine, identifies suspicious fileless code sequences and is the only solution capable of detecting fileless malware at the perimeter.

What is fileless malware?

Fileless malware is a malicious script that gets loaded into a system’s memory (RAM) by a legitimate application resident on the end-user’s system. Fileless malware can be unintentionally read off a remote server and, unlike file-based malware, will not leave any files on a storage drive that can be detected by signature-based anti-virus (AV) software. Furthermore, fileless malware can operate under the guise of a legitimate process and persist in memory until the infected system is rebooted or powered down, leaving very little evidence of its activity or that it was ever present. All this makes fileless attacks significantly more difficult to detect and remediate.

Why has detection of fileless malware become important?

Fileless malware has been around for years but was relatively rare and posed a limited threat. This changed in 2014 with Poweliks, a click-fraud Trojan that got the attention of cyber-criminals since it was the first fileless malware to demonstrate persistence. Today, fileless techniques are much more common, with fileless attacks serving as the basis for more sophisticated incursions. A 2018 survey, conducted by the Ponemon Institute, of over 600 cybersecurity security professionals responsible for managing their organization’s security strategy, found that fileless malware accounted for over one-third of all malware attacks and was on the rise.

What happens once fileless malware infects?

Once the malware is in memory, attackers can launch administrative tools such as PowerShell or Windows Management Instrumentation (WMI) to steal or elevate credentials, inspect network assets, or to establish backdoor connections to remote command and control (C2) servers. These activities appear as legitimate processes to the end-user unless their behavior comes under very close inspection. Fileless attacks are often used as a first step into a more sophisticated file-based infection. In the second step of the infection, the device downloads and installs malicious programs directly to system memory or to hidden directories. Once installed, the threat actor can also employ a variety of tactics, such as hiding a start-up script inside the Windows registry, to remain in control of the system after a shut down or reboot.

BLUVECTOR FEATURE REVIEW

BLUVECTOR FEATURE REVIEW

� Uses high speed emulation technology to rapidly play out code sequences in scripts and identify suspicious operations.

� Can de-obfuscate self-modifying or delayed execution scripts to reveal otherwise hidden details.

� Uses multiple heuristics for highly effective detection of malicious JavaScript embedded in Webpages which is the most common fileless malware threat vector to the enterprise.

� Operates at line speeds on enterprise network streams and is significantly faster than costly sandbox solutions that are prohibitively expensive to run.

� Provides metadata about the detected malware for the analyst to evaluate any potential risk.

� Is OS agnostic on the endpoint since it detects threats at the network level before they arrive at the endpoint.

Why do signature-based defense fail to detect fileless malware?

Attackers utilizing fileless attacks do not leave files on device storage that could be scanned. Therefore, AV tools have nothing to compare against in their signature databases. Furthermore, malicious coders can easily obfuscate their scripts, which can be very effective. Using comprehensive signatures that incorporate hundred(s) of variants into a single signature doesn’t help much either as there are always more ways to hide the script’s true fingerprint. This significantly affects the ability of signature-based AV software to do static comparisons against known script-based malware. In many circumstances, the only effective defense is to turn off the ability to run scripts remotely or even locally, but that comes at a severe cost in loss of important functionality.

Why is BluVector so effective in detecting fileless exploits?

BluVector focuses on the very early stages of a fileless attack, the initial compromise. Its SCE engine operates on any network stream and emulates how malware will behave when executed. Operating at line speed, SCE determines what a threat input can do if executed and to what extent these behaviors might initiate a security breach. By covering all potential execution chains and focusing on malicious capacity rather than malicious behavior, the analytic technology vastly reduces the number of execution environments and the quantity of analytic results -- often to just two or three -- that must be investigated.

SCE runs in parallel to BluVector’s patented Machine Learning Engine, which is designed to detect file-based attacks. So BluVector customers gain two different ways to detect full fileless or fileless attacks that turn file-based.

Advanced Threat Detection Capabilities

As a leader in advanced threat detection, BluVector is empowering security teams to get answers about real threats, allowing businesses and governments to operate with greater

confidence that data and systems are protected.

Learn More or Schedule a Demo atbluvector.io

© 2020 BluVector. All rights reserved. | Privacy Policy | Terms & Conditions