Anyone that’s been paying attention knows that fileless malware has been on the rise for the past few years. But, did you know that we’re likely to see this infamous threat transform in new and menacing ways this year? Enter the Vaporworm. Just a few short months ago, the WatchGuard Threat Lab predicted that 2019 would be the year we’d see a new breed of fileless malware with self-propagating, wormlike characteristics. Now, it appears this prediction is already becoming a reality!
In his latest guest column for Help Net Security, WatchGuard’s Sr. Security Analyst Marc Laliberte explains the fundamentals of fileless malware and explores how and why Vaporworms will gain prevalence in the near future. Here’s a brief excerpt from the story:
“Unfortunately, this prediction seems to be coming true uncomfortably quickly. Just one short month after we predicted the unholy emergence of self-propagating fileless malware, researchers at Trend Micro discovered a fileless Trojan that seemed to present some of those very same characteristics.
First, the malware saved its malicious payload in the Windows Registry, a key-value database that Windows stores in memory. It then created a second registry entry that instructed the operating system to load the payload from memory and execute every time it booted, giving it persistence. To spread, the malware installed a copy of itself on any removable storage connected to the system (thumb drives, external hard drives, etc.).
While this malware was quite interesting in its combination of fileless execution and worm-like propagation using removable storage, it wasn’t a full-blown network worm like we saw spreading the Wannacry ransomworm in 2017. Network propagation is what differentiates a “good” computer worm from a “great” computer worm, at least when it comes to infection rates.
Network propagation also makes it incredibly difficult to root out every infection from an attack. Imagine a scenario where a nation state wants to siphon off engineering work from a foreign defense contractor. In the not-too-distant future, we could see an incredibly effective and dangerous malware attack that combines Wannacry’s rapid propagation with fileless malware’s ability to hide its presence. And as countless attack techniques have demonstrated previously, what starts with nation states usually trickles down to the civilian cyber-criminal world soon enough.”
For more information on Vaporworms, read the full article at Help Net Security or check out the original prediction from WatchGuard’s Threat Lab here on Secplicity.
Frankly, I use a common strategy to counter pretty much all malware.
Here goes what protects your Windows users from 99.9% malware:
Always login as unprivileged user
Deny running of dangerous file extensions from user modiefieable drives/folder (like REG, PS1, EXE, CMD, BAT etc.)
Firewall also outgoing traffic as strict as practical
If possible, deny download via WWW or Email any MS Office docs with macros
Patch Windows and your apps continuosly
That streategy would have stoped former malware.
Pretty good strategy, but hard one for some companies to live with. Removing local system privilege from users sometimes makes it hard for them to do many other legitimate things. Also, for exploit based fileless malware, which uses direct code injection to start, it may not prevent everything.