WatchGuard Blog

Vaporworms: Fileless Malware You Can’t Afford to Miss

Fileless malware is one of the most prevalent security threats today, so organizations must understand how it works to defend against it. The key is to deploy preventative anti-malware solutions and detection and response services to help identify these threats before it’s too late. But let’s not forget about the notorious Vaporworm – fileless malware with self-propagating, worm-like characteristics. This is a tricky threat to deal with.

In a guest column for Help Net Security, WatchGuard’s Sr. Security Analyst Marc Laliberte explains the fundamentals of fileless malware, why Vaporworms are emerging and how to defend against them. Here’s a brief excerpt from the story:

“Just one short month after we predicted the unholy emergence of self-propagating fileless malware, researchers at Trend Micro discovered a fileless Trojan that seemed to present some of those very same characteristics.

First, the malware saved its malicious payload in the Windows Registry, a key-value database that Windows stores in memory. It then created a second registry entry that instructed the operating system to load the payload from memory and execute every time it booted, giving it persistence. To spread, the malware installed a copy of itself on any removable storage connected to the system (thumb drives, external hard drives, etc.).

While this malware was quite interesting in its combination of fileless execution and worm-like propagation using removable storage, it wasn’t a full-blown network worm like we saw spreading the Wannacry ransomworm in 2017. Network propagation is what differentiates a “good” computer worm from a “great” computer worm, at least when it comes to infection rates.

Network propagation also makes it incredibly difficult to root out every infection from an attack. Imagine a scenario where a nation state wants to siphon off engineering work from a foreign defense contractor. In the not-too-distant future, we could see an incredibly effective and dangerous malware attack that combines Wannacry’s rapid propagation with fileless malware’s ability to hide its presence. And as countless attack techniques have demonstrated previously, what starts with nation states usually trickles down to the civilian cyber-criminal world soon enough.”

For more information on Vaporworms, read the full article at Help Net Security or check out the original prediction from WatchGuard’s Threat Lab here.