News Feature | January 7, 2016

Fileless Malware Threatens Systems

By Ally Kutz, contributing writer

Secured Laptop

New platform capabilities and threat development innovations have created a new type of fileless malware, according to a report from Intel Security. The McAfee Labs Threat Report: November 2015 states these fileless attacks are taking the place of rootkit attacks.

McAfee Labs also used the report to illustrate how poor mobile app coding practices are leading to exposure of user data in the cloud. The practices include failure to follow back-end service provider guidance, with mobile banking customers being compromised via this scenario.

The report also investigates macro malware using social engineering, something that has hit a six-year high in the last few months. Macro malware has increased from less than 10,000 new attacks in the third quarter of 2015 to almost 45,000, a level not seen since 2009.

One of the most important takeaways of this study is to never neglect common sense solutions like best practices for secure app coding, even though there is the push to be innovative to stay ahead of the technology curve. User education to counter current tactics, such as spear phishing, is also a key preventative measure.

Spear phishing campaigns designed to trick users into opening malware-infested email attachments is the key factor enabling macro malware to thrive. While earlier macro malware focused on users of all types, the new macro malware is primarily targeting large organizations accustomed to using macros for repetitive needs within the organization.

In addition, Intel Security recommends that all organizations adjust product macro security settings to the high level and configure email gateways to filter for attachments containing macros in an effort to prevent or at least lessen these macro malware attacks.

In its research, McAfee Labs captured more than 74,000 samples of fileless attacks in the first three quarters of 2015, with the three most common malware types loading their infection directly into the memory space of a platform function, hiding behind a kernel-level API, or hiding within the operating system’s registry.

While most malware infections are designed to leave some type of file on the system that can be detected, newer attacks like Kovter, Powelike, and XswKit have been designed to attach to an OS platform service to get into memory without leaving any trace on the disk, making them much more difficult to detect.

The report can be viewed in full here.