Threat Intelligence Bulletin: The Primary Role of Windows Documents in Fileless Malware Attacks – And How to Stop Them

By Lewis Henderson

Glasswall FileTrust™ Threat Intelligence reports focus on evasive malware that bypasses the various security layers designed to protect an organization.  This bulletin focuses on Fileless Malware Attacks, emerging as one of the most effective and damaging evasive threats that are painting a bleak future for those tasked with defending their organizations. 

Fileless Malware techniques have been around for a couple of years, but in 2018 it felt like attackers were done testing, had completed their proofs of concept and had then moved aggressively to using it as the means to deploy a number of devastating cyber-attacks.

As these quotes from industry leaders acknowledge, this fast-growing form of attack is incredibly challenging to defend against. Some experts are even going so far as to suggest Fileless is the future of malware. 

As the name ‘Fileless’ indicates, the malicious part of this multi-stage style of attack is particularly problematic to defend against because there is no file.  Maybe that is a little misleading: In attacks that use email attachments, there is a file at the beginning of the process, but no malicious payload. There are just Powershell scripts that launch when a recipient opens the file. ‘Fileless’ refers to what happens next, since after that attachment gets opened, things get interesting…and challenging. 

Scripts used in Fileless Malware Attacks are launched by macros or DDE-enabled Microsoft Office files and they all look totally legitimate and benign to AV and Sandboxes. But then it gets really clever. These Powershell scripts write instructions directly to memory, encrypted malware is downloaded, the payload executes only in memory, and once the damage is done and the attacker’s objectives are achieved, it deletes any trace of its existence. In attempting to identify the source of the attack, you’ll be chasing ghosts. 

From late 2017 through 2018, the industry watched as the delivery mechanism for ransomware and cryptojacking cyber attacks began dramatically changing to using Fileless Malware techniques. Those attacks proved to be far more successful than other methods deployed during this period.

While there are a number of ways Fileless Malware Attacks can be started, the most successful appear to originate with emails that frequently use Office documents containing macros and, in some rare cases, DDE functionality. In fact, of the ransomware attacks linked to the Emotet banking Trojan that Glasswall has encountered, there are some startling similarities, as shown below: 

Unfortunately, AV and Sandbox solutions looking for existing signatures or malicious behaviours fall short here. Fileless Malware Attack documents contain nothing suspicious, so these widely used solutions simply don’t spot them.  In fact, Malwarebytes go as far to say:

These attacks are specifically designed to trick users on endpoints. Preventive steps would require doing ALL of the following: 

  • Restrict Admin privileges
  • Disallow unapproved applications
  • Prevent the Run registry keys from being modified
  • AND apply all security patches

Unfortunately, a lot of endpoint management and security software simply can’t tackle that full list simultaneously and at scale in large organizations. It is possible to specifically block Microsoft Word from running PowerShell, but doing so will also block users from any legitimate use cases, which admittedly are few and far between for normal users. Clearly these are sub-optimal options. 

Fileless Malware Attacks will continue to leave organizations exposed unless innovative alternatives to traditional protection methodologies are deployed, Content Disarm and Reconstruction (CDR) is one such technology that makes the difference between a breach in the headlines or business as usual. 

The Glasswall FileTrust™ suite of products sanitizes content from documents that trigger Fileless Malware Attacks and stops any code from being activated, ensuring our customers are protected when they’re targeted by exploits hidden and evasive threats. 

In 2019, we expect to see new Fileless Malware Attacks that are even harder to stop. But should attackers shift to other file types or features, Glasswall customers will be well ahead of them.