Received: 10 March 2020 | Revised: 21 July 2020 | Accepted: 10 September 2020 DOI: 10.4218/etrij.2020-0086 ORIGINAL ARTICLE Fileless cyberattacks: Analysis and classification GyungMin Lee1 | ShinWoo Shim2 | ByoungMo Cho2 | TaeKyu Kim2 | Kyounggon Kim1,3 1School of Cybersecurity, Korea University, Seoul, Rep. of Korea Abstract 2Intelligent SW Research Center, LIG Nex1, With cyberattack techniques on the rise, there have been increasing developments Seoul, Rep. of Korea in the detection techniques that defend against such attacks. However, cyber attack- 3 Department of Forensic Sciences, Naif ers are now developing fileless malware to bypass existing detection techniques. To Arab University for Security Sciences, combat this trend, security vendors are publishing analysis reports to help manage Riyadh, Kingdom of Saudi Arabia and better understand fileless malware. However, only fragmentary analysis reports Correspondence for specific fileless cyberattacks exist, and there have been no comprehensive analy- Kyounggon Kim, School of Cybersecurity, Korea University, Seoul, Rep. of Korea. ses on the variety of fileless cyberattacks that can be encountered. In this study, Email: [email protected] we analyze 10 selected cyberattacks that have occurred over the past five years in which fileless techniques were utilized. We also propose a methodology for classifi- Funding information This research was supported by LIG Nex1. cation based on the attack techniques and characteristics used in fileless cyberattacks. Finally, we describe how the response time can be improved during a fileless attack using our quick and effective classification technique. KEYWORDS classification, cyber security, cyberattack, fileless malware 1 | INTRODUCTION owing to the fact that they cannot be detected by vaccines and can circumvent even the best efforts of security analysts. The infrastructure in Estonia was brought down by a cyberat- However, despite the analysis of individual fileless malware tack from a suspected Russian state-sponsored hacker group conducted by security companies, studies on fileless cyberat- in April 2007 [1]. Nations with strong cyber superstructures, tacks in their entirety remain insufficient. Therefore, in this such as China, North Korea, and Russia, have reinforced their paper, such attacks are analyzed, summarized, and classified cyberattack capabilities [2]. The sources of such cyberattacks based on cases that have emerged since the mid-2010s. are now moving from individuals to organized hackers sup- The following are the three main contributions of this ported by governments, and their cyberattacks are progress- study. ing into more complex and advanced initiatives, which were previously unlikely to develop from individual hackers [3]. • An analysis of the detailed attack techniques of 10 types of Before cyberattacks evolved into more intricate attacks, fileless cyberattacks. simple security solutions such as virus protectors could be • A mapping of the cyber kill chain attack stage with each used to block them; however, attackers began to utilize var- fileless cyberattack technique. ious attack strategies to improve their effectiveness. Since • A suggested classification methodology for the 10 fileless 2014, fileless cyberattacks have been continuously on the rise cyberattacks. This is an Open Access article distributed under the term of Korea Open Government License (KOGL) Type 4: Source Indication + Commercial Use Prohibition + Change Prohibition (https://www.kogl.or.kr/info/license.do#05-tab). 1225-6463/$ © 2020 ETRI 332 | wileyonlinelibrary.com/journal/etrij ETRI Journal. 2021;43(2):332–343. LEE ET AL. | 333 The rest of this paper is organized as follows. In Section 2, analyzed various relevant attacks and tools such as Phasebot, we review related studies to the current research. In Section Gootkit, and Emotet and examined the strategies used by 3, we present our methodology for classifying fileless cyber- each attack [6]. Furthermore, by analyzing various attacks, attacks and describe a detailed procedure and analysis of the they suggested four strategies for defending against fileless results for each methodology. In Section 4, we discuss fileless cyberattacks. cyberattacks compared with traditional malware. In Section Kumar and sudhakar investigated seven representative 5, some concluding remarks are provided along with an out- fileless cyberattack samples and classified them based line of the potential implications of this study and sugges- on persistent techniques [7]. They classified attack sam- tions for future studies in this field. ples based on an investigation of the attack vectors for each cyberattack. The categories were determined as fol- lows: memory resident malware that resides in the system 2 | LITERATURE REVIEW memory, window registry malware that hides in the system registry, and rootkit fileless malware. They extended their Various studies on fileless cyberattacks have been con- study and suggested a framework for countermeasures that ducted. For example, to identify fileless cyberattacks can be used when fileless cyberattacks are executed on a against Linux-based Internet-of-Things machines, Dang system. and others designed a software- and hardware-based honey In addition, O’Murchu and others analyzed in detail how pot and collected data on malicious code for approximately Poweliks changed in 2015 [8]. The researchers analyzed one year [4]. They confirmed that among the malicious and compared the specific functions from Poweliks 1.0, the code collected, 10% were fileless cyberattacks, which were earliest version, to Poweliks 1.7, a relatively recent version, then classified into eight groups using the characteristics and checked the fileless cyberattack specifics of Poweliks. of the corresponding attacks. They analyzed the attacks by According to a Symantec analysis, Poweliks uses mecha- focusing on their characteristics and methods of defense. nisms that protect the registry keys and strategies developed Sanjay and others classified fileless cyberattacks into two to obtain CLSID information and authority elevation, thereby categories: memory- and script-based attacks [5]. In addition, making it difficult for users to identify infections. to overcome their defense mechanism, they classified the Lee and others analyzed Poweliks and Kovter, which can be strategies used by fileless cyberattacks into four categories. described as representative fileless malware [9,10]. Through They also listed the mechanisms that can be used for detect- their analysis, they described how fileless malware conceals ing or even defending against fileless cyberattacks. The repre- its activity using the registry and memory and suggested a sentative technique of fileless cyberattacks introduced herein method for detecting fileless malware based on such use. involves a document containing a malicious code, and the de- tection and defense technique involves the use of an analysis program such as Yara or an operating system function such as 3 | METHODOLOGY Microsoft Enhanced Mitigation Experience. Rivera and inocencio comprehensively analyzed Our detailed methodology is illustrated in Figure 1. We col- Poweliks, a representative fileless cyberattack. They also lected public fileless cyberattack samples at public sites such Analyzing published analysis of samples Mapping attack … techniques with MITRE ATT&CK Collecting fileless Analyzing cuckoo sandbox cyberattack samples result of samples Fileless Checking attack Measure the number of Categorization and cyberattack techniques for each kill techniques for each attack classification FIGURE 1 Methodology for classification chain step classification of fileless cyberattacks 334 | LEE ET AL. as Hybrid Analysis and GitHub and then analyzed the tech- 3.2.1 | Poweliks niques used by fileless malware through open source intel- ligence. We then used Cuckoo Sandbox to extract the results In 2014, Poweliks was the very first fileless malicious code of a fileless cyberattack analysis. Next, we used the collected to be detected. This code spreads through malicious host information to map the fileless malware attack techniques files attached to emails. According to the security com- using the ATT&CK kill chain published by MITRE and ana- pany, G Data, malicious files have been delivered through lyzed the attack techniques. Finally, we scored and classified email messages impersonating the international freight the fileless cyberattacks. transportation company, UPS [11]. These spurious UPS files infiltrate PCs using the macro vulnerability of MS Word. Poweliks is a fileless attack because its information 3.1 | Collecting fileless cyberattack cases is stored in the registry to avoid detection by users and to ensure permanent infection. As presented in Table 1, in this study, we investigated and collected a variety of known fileless cyberattacks as sam- ples. These samples were collected using either the cyber- 3.2.2 | Rozena attack dataset published by GitHub or the dataset published by Hybrid Analysis, which is a German dataset of malicious Rozena, which was discovered in 2015, deceives users by code. disguising itself as a normal MS Word file. According to When users upload malicious code samples, the afore- a 2018 report by a German security company [12], Rozena mentioned website analyzes the code that uses various an- runs through several PowerShell scripts and shows fileless ti-virus products. On the Hybrid Analysis website, users characteristics in that it inserts the malicious code