Scaling the Hunt for Fileless Malware

The recent explosion in mainstream attacks using “fileless” malware has left many organizations wondering how they can defend themselves. Cyberscoop recently reported on a long hacking campaign that struck 140+ major enterprises and banks in over 40 countries using fileless malware to stay hidden. These types of attacks are very tough to find with traditional detection and forensic methods as they do not touch disk and stay completely resident in volatile memory of a system - leaving no trace on the hard drive.

The above campaign was only uncovered because a bank’s security team was proactively hunting in the memory of their domain controllers (DC) and detected Mimikatz, a commonly used program used to steal passwords. 

Despite the recent press and increased mainstream use, fileless malware is not new. It was one of the tactics used by Duqu 2.0, a nation-state attacker that infested Kaspersky’s own corporate network two years ago. Indeed, advanced attackers have known for a quite some time that if they want to stay hidden and evade detection, they should avoid touching the hard disk.

So how do you fight back?

Volatile memory forensics using tools like Rekall or Volatility Frameworks are commonly cited as the go to methods for analyzing these attacks. Unfortunately, volatile memory forensics and analysis are notoriously hard to scale and require specialized skill sets.  Since these tools work by performing offline analysis of an entire physical memory dump, it would require pulling gigabytes of memory for every host you want to look at – that may work for incident response, but it doesn’t work as a proactive hunt method.

Scaling the hunt with Forensic State Analysis

Infocyte has taken a unique approach to threat hunting that works by scanning key parts of volatile memory across thousands of systems at a time, with minimal impact, making it possible to detect fileless malware at enterprise scale.  

Instead of performing analysis on a physical memory dump or deploying a new kernel driver to every host, which can be extremely dangerous, Infocyte uses a transient endpoint survey made up of process memory scans.  These process memory scans focus on executable sections (about ~8% of memory on a windows system). This one technique has been shown to be effective against nearly all fileless malware being used in these campaigns and despite being deployed on hundreds of thousands of systems, has had ZERO impacts to the endpoints being surveyed.

Infocyte is used by hunt teams and incident responders to find hidden threats and reduce the dwell time of hackers who have made it inside the network.  Being agentless, we don’t monitor endpoints the same way your endpoint protection suite works, instead, we utilize a set of highly scalable Digital Forensics and Incident Response (DFIR) methods called Forensic State Analysis (Read more about FSA here). Using FSA, our Infocyte HUNT™ platform periodically sweeps thousands of endpoints, spending a couple minutes on each host, to definitively validate their state as either "Compromised" or "Not Compromised" with greater confidence than antivirus or intrusion monitoring can provide.

It goes much further than volatile memory analysis too. Infocyte HUNT digs deep into an endpoint to validate: 

  • What is actively running in memory; 
  • What is triggered to run through a persistence mechanism, and;
  • Identify any manipulation that would suggest the system has been maliciously modified (e.g., what a rootkit does to hide its presence, or what an insider threat might do to disable the system's security controls).

Learn how Infocyte HUNT can help you discover and reduce the dwell time of fileless malware and other hidden threats in your network.