In one of our 2019 Security Predictions, we predicted a future where self-propagating, fileless malware “vaporworms” run rampant. This week, Trend Micro announced in a blog post that this future came earlier than we anticipated. In their write up, Trend Micro analyzes a newly discovered fileless variant of the BLADABINDI remote access trojan (RAT) that added self-propagation via removable storage to its toolkit.
This new variant of BLADABINDI uses AutoIt, a scripting language for Windows, to set up a backdoor and install a copy of itself on any removable storage attached to the system to aid its spread. The “fileless” component of the malware refers to how it gains persistence on the system. Instead of dropping a malicious executable on the hard drive like traditional malware, it saves it as a registry entry. It then adds another registry entry that uses PowerShell to load and run the executable directly from memory. The fileless component of BLADABINDI acts as a dropper to retrieve a traditional trojan executable which it then saves in the system’s temp directory and executes.
Fileless malware in general is on the rise. In the Ponemon Institute’s 2017 State of Endpoint Security Risk Report, they found that 29% of attacks used fileless malware, up from 2% in 2016. More frighteningly though, 77% of successful attacks leveraged fileless malware. We expect to see even more fileless malware next year because of its successes which means you need to ensure that you have the proper protections in place to keep your systems safe. If you are a WatchGuard customer, make sure you are fully utilizing Threat Detection and Response (TDR) which monitors processes for malicious behaviors, the best way to catch fileless malware. Advanced malware detection tools (like WatchGuard APT Blocker) can also help catch additional malware payloads and prevent a breach from becoming catastrophic.