Anyone that’s been paying attention knows that fileless malware has been on the rise for the past few years. But, did you know that we’re likely to see this infamous threat transform in new and menacing ways this year? Enter the Vaporworm. Just a few short months ago, the WatchGuard Threat Lab predicted that 2019 would be the year we’d see a new breed of fileless malware with self-propagating, wormlike characteristics. Now, it appears this prediction is already becoming a reality!
In his latest guest column for Help Net Security, WatchGuard’s Sr. Security Analyst Marc Laliberte explains the fundamentals of fileless malware and explores how and why Vaporworms will gain prevalence in the near future. Here’s a brief excerpt from the story:
“Unfortunately, this prediction seems to be coming true uncomfortably quickly. Just one short month after we predicted the unholy emergence of self-propagating fileless malware, researchers at Trend Micro discovered a fileless Trojan that seemed to present some of those very same characteristics.
First, the malware saved its malicious payload in the Windows Registry, a key-value database that Windows stores in memory. It then created a second registry entry that instructed the operating system to load the payload from memory and execute every time it booted, giving it persistence. To spread, the malware installed a copy of itself on any removable storage connected to the system (thumb drives, external hard drives, etc.).
While this malware was quite interesting in its combination of fileless execution and worm-like propagation using removable storage, it wasn’t a full-blown network worm like we saw spreading the Wannacry ransomworm in 2017. Network propagation is what differentiates a “good” computer worm from a “great” computer worm, at least when it comes to infection rates.
Network propagation also makes it incredibly difficult to root out every infection from an attack. Imagine a scenario where a nation state wants to siphon off engineering work from a foreign defense contractor. In the not-too-distant future, we could see an incredibly effective and dangerous malware attack that combines Wannacry’s rapid propagation with fileless malware’s ability to hide its presence. And as countless attack techniques have demonstrated previously, what starts with nation states usually trickles down to the civilian cyber-criminal world soon enough.”