McAfee Labs: Cybercriminal Tactics Shifting from External Malware Threats to ‘Fileless’ Attacks

McAfee Labs released a new research that reveals shifts in cybercriminal tactics away from external malware threats, towards ‘fileless’ attacks, that leverage trusted Windows executables to invade systems and breach corporate networks. This trend is particularly concerning because threat actors do not install any software on a user’s computer, making a successful attack extremely hard to detect.

Fileless trend insights from the Q2 report: The growth of the ‘fileless’ threat category was also evidenced in McAfee’s recent Q2 Threat report. Many fileless malware campaigns were discovered to leverage Microsoft PowerShell to launch attacks in memory to create a backdoor into a system – surging 432% over 2017.

One particular fileless threat, CactusTorch, which can execute custom shellcode on Windows systems, has grown rapidly. The interesting fact about this attack, however, is the number of variants discovered in the wild. It’s evident that more and more, actors are adopting this attack at a significant rate due to the technique’s success and ability to evade detection.

Fileless attacks are effective. According to the Ponemon Institute's "The State of Endpoint Security Risk Report," report estimates that fileless attacks are ten times more likely to succeed than file-based attacks.

This type of attack takes advantages of the trust factor between security software and genuine, signed Windows applications. Because this type of attack is launched through reputable, trusted executable, traditional whitelist based detection systems fails drastically.