Fileless Malware on Windows 10 has become a hot topic as of late due to its potential for affecting millions of enterprise customers using Windows 10 around the world. It poses real danger to these customers, compromising their system security by executing a file without being written to disk. As such, it was recently posed to our tech gurus here at Wedge, asking how we deal with the recent spate of Fileless Malware that has hit Windows 10.
To start, what is “Fileless Malware”? This is a marketing term used by certain vendors that typically refers to two types of attacks:
1. Malicious activities carried out by the macros of windows documents that are only executed in memory.
2. Hackers exploiting known vulnerabilities using network intrusion techniques.
In a ZDNet article that was published today Microsoft states that it has been working on an answer to some new techniques used in penetration-testing kits to bypass its Windows Defender Advanced Threat Protection (ATP). This is Microsoft’s key security platform for protecting Windows 10 in the enterprise. Microsoft had reported that it had detected two instances of Fileless Malware being used to deliver information stealers that run in memory without an executable file being written to disk. The malware that Microsoft detected relies on techniques from penetration-testing toolkit Sharpshooter, which generates payloads in multiple Windows formats and that can avoid detection by enterprise anti-malware products. You can read more about how Microsoft tries to stop these Fileless Malware in the ZDNet article.
As for how Wedge deals with this problem, instead of trying to detect this type of malware the way Microsoft is attempting to (they do this by implementing a detection algorithm based on runtime activity and leveraging AMSI support (Microsoft’s interface for anti-malware products, including Windows Defender) in scripting engines, targeting a generic malicious behaviour and a fingerprint of the malicious fillers technique), Wedge instead works at the network layer and views the content as a whole, providing an extra layer of protection to enhance what Microsoft is doing with their endpoint protection. In those cases where Windows Defender is not deployed, or even in those cases where the endpoint is using an operating system other than Windows 10, WedgeARP AMB, installed at the network layer would still provide protection against Fileless Malware! For the two types of attacks listed above:
1. If the malicious macro is actually in the macro, these would be stopped by WedgeARP AMB defences when the document passes through due to the advanced detection and blocking heuristics and the state of the art machine learning that makes up the WedgeARP system. If the macro does not contain malicious code but simply triggers a download of another malware, WedgeARP would also detect this activity and the actual malware would be stopped.
2. As for hackers exploiting known vulnerabilities using network intrusion techniques, these activities would be immediately stopped by the IPS layer of the WedgeARP AMB solution.
So, in conclusion, with any of these cases, enterprise customers can feel safe if WedgeARP AMB is deployed by their organization to protect their endpoints; Fileless Malware attacks on these protected endpoints would be stopped in their tracks.