Burr & Forman

05.17.2018   |   Articles / Publications

Best Practices to Detect and Prevent File-Less and Click-Less Malware

Hackers are clever at exploiting weaknesses in an organization’s systems. They are also efficient. After an organization installs robust cybersecurity controls, hackers will typically look for an easier target or they will adjust their tactics to exploit remaining leaks in an organization’s environment. Unless organizations want to get eaten by a shark, they should constantly adjust and improve their cybersecurity controls.

What is File-less or Click-less Malware?
File-less or Click-less malware is a hacking strategy that has become more popular over the last several years (and often overlooked by IT departments). This type of malware is unique because it does not download “software” on the victim’s hard drive, and it does not install or run a conventional .exe type program.

Machines typically become infected through two methods: (1) when a user clicks on a link in an email, document or website; or (2) when a user’s mouse hovers over a link (but does not click the link) in a macro enabled program like PowerPoint or Word. In these instances, a file is not downloaded to the hard drive nor is a program executed. The malware generally operates by using Windows PowerShell to load Base64 code directly from system memory (which cannot be scanned using heuristics). PowerShell is a command-line shell and scripting language built on top of the Windows .NET framework, so it has a trusted signature along with access to the registry, the operating system, and other Windows APIs. In layman’s terms, this means that PowerShell is a powerful weapon in a hacker’s war chest.

Detection Is Difficult
PowerShell has permission to use legitimate Windows processes (e.g., iexplorer.exe), which renders detection by conventional cybersecurity controls ineffective. Because the malware operates in system memory, there are no signatures for an Anti-Virus (“AV”) program to detect and other common software centered cybersecurity controls such at whitelisting or blacklisting are futile.

Detection is further hindered by the hacker’s use of obfuscated command code, which can shield the unexecuted malicious code from view. The event logs in PowerShell Version 2 reflect when a PowerShell event starts and stops but nothing else. The inability to view the unexecuted code in these instances makes it extremely difficult to determine what the malware is doing. For example, the unexecuted command code may reveal that the script is exporting certain data to a suspicious external domain or accessing a critical system. Later versions of PowerShell have better security features but hackers will try to downgrade PowerShell to Version 2.

Download the full article, “Best Practices to Detect and Prevent File-Less and Click-Less Malware,” written by Fob James.
Click here for additional coverage in the Privacy & Cybersecurity Law Report.

Related Attorneys