Fileless Malware A Crucial Endpoint Threat: Report

According to a recent Cisco study title 'Threat Landscape Trends,' fileless threats have topped as the most common critical-severity cybersecurity threat to endpoints in the threat category list.

The picture of the threat landscape

According to the telemetry data from Cisco, endpoint security threats can be divided into three main categories on the basis of critical-severity Indicators-of-Compromise (IOCs):
  • The first segment is fileless malware, such as Kovter, Poweliks, Divergent, and LemonDuck, which comprises 30% of critical-severity threats. These are considered as the most destructive and require immediate attention.
  • Secondly, dual-use tools such as PowerShell Empire, CobaltStrike, Powersploit, and Metasploit have been most commonly used for both exploitation and post-exploitation tasks, which makes up for 24% of the critical threats.
  • The last one on the list is credential-dumping tools, most commonly the Mimikatz tool to scrape login credentials from a compromised computer, comprising 21% of critical threats.
  • The remaining 25% contains a mix of threats, such as ransomware (Maze, Ryuk, and BitPaymer); worms (Qakbot and Ramnit); RATs (Corebot and Glupteba); banking Trojans (Dridex, Dyre, Astaroth, and Azorult); and other downloaders, wipers, and rootkits.

Recent attacks by fileless malware

The fileless threat method enables an attacker to maintain persistence and evade detection by abusing tools that are already in the system to initiate attacks.
  • Last month, attackers deployed the FritzFrog P2P botnet, in a fileless way, on the servers of at least 500 enterprises and government facilities in an effort to avoid detection and leave little trace of its presence.
  • In May, the Netwalker ransomware used reflective DLL injection method to deploy fileless malware, avoiding traces.

Security recommendations

To defend against fileless malware, users are advised to defend their endpoints by allowing limited execution of unknown files, monitoring processes for unusual changes, and the registry for strange process injection attempts, and by keeping an eye on connections between endpoints.