Anyone that’s been paying attention knows that fileless
malware has been on the rise for the past few years. But, did you know that
we’re likely to see this infamous threat transform in new and menacing ways
this year? Enter the Vaporworm.
Just a few short months ago, the WatchGuard Threat Lab
predicted that 2019 would be the year we’d see a new breed of fileless malware
with self-propagating, wormlike characteristics. Now, it appears this
prediction is already becoming a reality!
In his latest guest column for Help Net Security,
WatchGuard’s Sr. Security Analyst Marc Laliberte explains the fundamentals of
fileless malware and explores how and why Vaporworms will gain prevalence in
the near future. Here’s a brief excerpt from the story:
“Unfortunately, this prediction seems to be coming true
uncomfortably quickly. Just one short month after we predicted the unholy
emergence of self-propagating fileless malware, researchers at Trend Micro
discovered a fileless Trojan that seemed to present some of those very same
First, the malware saved its malicious payload in the
Windows Registry, a key-value database that Windows stores in memory. It then
created a second registry entry that instructed the operating system to load
the payload from memory and execute every time it booted, giving it persistence.
To spread, the malware installed a copy of itself on any removable storage
connected to the system (thumb drives, external hard drives, etc.).
While this malware was quite interesting in its combination
of fileless execution and worm-like propagation using removable storage, it
wasn’t a full-blown network worm like we saw spreading the Wannacry ransomworm
in 2017. Network propagation is what differentiates a “good” computer worm from
a “great” computer worm, at least when it comes to infection rates.
Network propagation also makes it incredibly difficult to
root out every infection from an attack. Imagine a scenario where a nation
state wants to siphon off engineering work from a foreign defence contractor.
In the not-too-distant future, we could see an incredibly effective and
dangerous malware attack that combines Wannacry’s rapid propagation with
fileless malware’s ability to hide its presence. And as countless attack
techniques have demonstrated previously, what starts with nation states usually
trickles down to the civilian cyber-criminal world soon enough.”