File-less Malware is a type of malicious software that is able to bypass most security measures as it resides within a user’s PC. This means that the Malware is written directly to RAM rather than to disk to execute a series of events or is coupled with other attack vectors such as Ransomware to accomplish its malicious intent. Fileless threats emerged in a mainstream type of attack in 2017 but these methods have been around for a significant amount of time. An example of a file-less Malware attack is the Equifax data breach in 2017 which exposed the records of 147 million people but a new threat called Nodersok or Divergent has been affecting devices worldwide.
Unlike traditional forms of Malware which leaves a footprint and relies on the end user downloading a malicious file, fileless Malware abuses the tools that are built into the operating system to carry out attacks. Fileless attacks use a technique called living-off-the-land. Living-off-the-land is where cyber criminals use legitimate tools for malicious purposes which are known as LOLbins.
Compared to the first half of 2018, reports of devices being infected with Fileless Malware have risen over 260% this year, making this type of threat incredibly sophisticated in terms of the delivery.
Fileless threats can also be classified by their entry point, which indicates how the threat can arrives on the device. It can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts. Finally, Fileless Malware is classified by the host of the infection and as with all cyber-attacks, the categories are not all the same: some are more dangerous but at the same time are also more difficult to carry out, while others are more commonly used.
What is Divergent/Nodersok fileless Malware?
Following a spike in activity detected between 5 and 11 September 2019 Nodersok fileless Malware, which is also known as Divergent, has infected thousands of computers across the world. Nodersok fileless Malware downloads and installs a copy of the Node.js framework to convert infected systems into proxies and perform click-fraud. This Malware was first spotted in the summer of 2019 and was distributed via malicious advertisements that forcibly downloaded HTA, a HTML application, files on to a users’ computer.
After a system has been fully infected, Nodersok can then turn it into a zombie-like proxy machine which is then used to launch other cyber attacks. Nodersok can even create a relay server that can give cyber criminals the power to command and control the servers within your business as well as other compromised devices. This helps hackers hide their activity from security researchers who are looking for suspicious behaviour.
How can fileless Malware affect my business?
Just like traditional forms of Malware, fileless Malware has the ability to shut down and infiltrate your organisation’s network and devices and disrupting your day to day IT and computer processes. In extreme cases of a fileless Malware attack, it has the ability to delete, steal or hold to ransom valuable business and personal data.
In relation to the General Data Protection Regulation, or GDPR, should a fileless Malware attack on your business occur it could put it at risk of GDPR non-compliance and the risk of a significant fine of up to €20 million or 4% of a organisations annual turnover – whichever is greater.
As with any Malware or Ransomware threat, prevention is better than a cure. By implementing a secure IT strategy that falls in line with your business processes can help mitigate the risk of falling victim to Malware.
By also being certified under a cyber security framework such as Cyber Essentials, which is backed by the UK Government, enables businesses of all sizes within the UK to safeguard their business and client data while being able to participate in high value tenders that require the Cyber Essentials certification.
Furthermore, by implementing a business solution such as Microsoft 365, a Cloud-based application that includes a variety of applications within that can help mitigate the risk of fileless Malware. Microsoft 365 also includes the Windows 10 operating system which provides continual security updates and patches. Within Windows 10 is Windows Defender and Advanced Threat Protection, both of which can detect and stop fileless Malware through AntiMalware Scan Interface (AMSI), behaviour monitoring, memory scanning and boot sector protection. Microsoft have also just rolled out protection for mobile devices with their Microsoft Defender ATP for Android, with IOs protection being released in the coming months.
Using a state-of-the-art IT Security endpoint protection solution such as Sophos has the ability to detect fileless threats using anti-exploit technology as they are not about asking an end user to download a malicious file. This anti-exploit technology uses Deep Learning to stop both known and unknown malware without signature. Additionally, Sophos Intercept X has a focused approach and examines approximately 25 exploits that cyber criminals rely on to spread Malware, steal credentials, and escape detection rather than examining millions of Malware samples.
However, if your organisation has fallen victim to a Fileless Malware attack without the above solutions this would need to be dealt with by a specialist IT Consultant. Should you have a Disaster Recovery and Backup plan, your business data can be restored and business operations resumed. However, if do not, there is a risk that your organisation could face downtime, sensitive business documents could be lost and there could be a risk of a data breach.