File-less malware attacks are on the rise. As a result, much has been written on this sophisticated form of attack, which is able to evade traditional anti-virus solutions due them not needing to install any malware to infect the victim’s machine. Instead, they take advantage of existing vulnerabilities in every computer and uses common system tools, such as Windows Management Instrumentation (WMI) or PowerShell to inject malicious code into normally safe and trusted processes.
It is here that our recently released Behavioral Guard feature on SandBlast Agent has proven very effective in increasing our detection of evasive file-less malware. In brief, SandBlast Agent’s Behavioral Guard is a behavioral detection engine that detects and remediates all forms of malicious behavior, leveraging forensics to effectively and uniquely identify unknown malware behaviors and accurately classify malware to its malware family. This robust protection capability adapts to the malware’s evolution over time and can be used to detect and prevent endless types of attacks including those using legitimate scripting tools maliciously.
Since the introduction of Behavioral Guard we have detected many highly-evasive file-less attacks. One recent case of which, caught in the wild on a customer’s PC, was a concealed file-less payload that was tucked deep inside WMI’s file system, only to be subtly invoked and run in the background by the Windows system when a certain event, such as system boot, was detected.
This was done by creating a permanent WMI Event Consumer object which would run PowerShell, a trusted and signed process by Microsoft which is already available on all Windows operating systems, with inline scripts to detect and upload Windows Credentials to a server on a public cloud computing service. Unlike traditional signature based malware, this attack went deep into the system without a file written to the disk, and without any malicious or illegitimate process running on the OS. It was, however, effectively picked up by our behavioral analysis systems that helped to detect it, despite the obfuscated nature of the script.
Indeed, scripting languages are increasingly being used by attackers due to them being quicker and easier to produce than full scale file-based malware. Furthermore, scripts provide more difficulties for security vendors. For a detailed look into scripting, please read our Scripting Report.
So when more and more file-less attacks are being seen in the wild, it is important organizations understand the nature of these types of attacks and just how difficult they are to detect by traditional anti-virus protections. In fact, traditional endpoint protections are useless against such sophisticated methods which are totally resistant to such products and even so-called ‘Next Generation Antivirus (NGAV)’ solutions are incapable of identifying these highly evasive attacks. Behavioral Guard in SandBlast Agent proved its purpose in the above instance and will continue to do so with all known and unknown attacks yet to be seen.