What Are Fileless Malware Attacks and “Living Off the Land”? Unit 42 Explains

Fileless malware and “living off the land” have been around for a while, but they have seen a resurgence in recent months. What’s behind this growing popularity? Jen Miller Osborn, deputy director of Threat Intelligence for Unit 42, explains what fileless malware attacks are and why “living off the land” is so attractive for malicious actors.

Read the full transcript below.

Jen Miller Osborn: So, I wanted to take a second to talk about two things that are very much in the news lately. And those are things called fileless malware attacks and "living off the land."

Fileless malware attacks are something where attackers are using things that aren't written to disk. So, things that are staying in volatile memory, such as PowerShell and WMI. And they're doing that because they are much harder to both detect and to find later, because a lot of times, they aren't kept in logs.

So, you'll see attackers doing things where they're automating a lot of their initial attacks, where they'll use something such as PowerShell or WMI to figure out both where they've landed in the system and do some basic network reconnaissance to decide whether or not they are in a place where they want to be. And those things are very hard to detect via traditional AV vendors, and even without some behavior analytics, they're harder to find.

And then, along with that, to also avoid detection, we're seeing attackers more and more moving toward a thing that's called "living off the land," which is where they're repurposing things that are typically legitimate admin tools, whether Windows or Macintosh or Linux or whatever. And they're tools that admins will use to monitor their environment, to dump credentials, to kind of figure out what's going on. But now, you have attackers using those same tools, which, in a lot of cases, are whitelisted because these are legitimate tools that system admins use.

But, you're seeing attackers repurposing them now, where they're using them to basically accomplish the same things that a lot of sysadmins do – to determine where they are, to do some network administration, to do some account administration, and checking on hashes. But they're using them maliciously, which is much harder to detect because, as a basic network posture, those things are going to be whitelisted.

So, those are two ways that attackers now are moving into spaces that are, A, hard to detect, and B, require a lot more behavioral analytics. Because there are a lot of things that you'll typically see legitimate system admins use but you're seeing attackers use. Because instead of using malware or using something such as Mimikatz, which is a known tool, which a lot of people will flag, now they're using tools where they’re going to be whitelisted.

And they’re probably – if they're not already present on a network for legitimate purposes, you'll see, a lot of times, attackers will bring them down because they're aware that these are legitimate tools and that they’re probably whitelisted. You aren't going to detect them maliciously unless you're running additional behavioral analytics that will show you them being used in a way that the sysadmin would not be using them.