What is Fileless Malware?

What is Fileless Malware?

Traditionally, malware infects and spreads through the file system. Fileless malware instead uses existing software, allowed applications and authorized protocols for the exploitation and conducts the malicious activity in the system memory, avoiding the file system, to prevent detection by anti-malware or other classical security mechanisms.

What is It?

Fileless malware (a.k.a. memory-based or living-off-the-land) is an attack type where using traditional executable files is avoided as a first level of attack. Rather, as the primary entry point, fileless malware uses existing vulnerabilities on the system or exploits initially non-file OS objects such as registry keys, APIS or tools like PowerShell. After getting a foothold in the system, it persist only in the memory to leave few traces as possible on the system to go less scrutiny to prevent detection. However, this distinctive feature of living only in the RAM is also a weakness for this type of malware, since it can only endure until the next system reboot.

Because fileless malware doesn’t write anything to disk, it leaves no immediate trace of its existence behind. Thus, it avoids detection by traditional signature-based anti-malware check. Simply, there is no stream of data transfer from the disk on which signature based pattern check can be conducted by the anti-malware software.

How does Fileless Malware Infiltrate?

Fileless malware target the vulnerabilities on existing commonplace software or system components to attack a system. Basically, there are two common scenarios.

  • Native system tools such as PowerShell, Windows Management Instrumentation (WMI) or MS Office Macros are targeted to run malicious scripts remotely.
  • Remote code execution or command injection vulnerabilities are exploited on already installed applications such as PDF readers, Flash, JavaScript, web browsers or web plugins.

Common Attack Vectors

Frequently used system tools, applications and interfaces for fileless malware attacks are as follows.

  • PowerShell is used in enterprise networks for task automation such as performance monitoring, rolling out new software updates or conducting periodic checks on the system. But it also gives attackers remote access capabilities to system functions of the operating system. PowerShell scripts are also easy to obfuscate and this comes handy in hiding the malicious behavior in a large script. Lastly, if the PowerShell script is not stored on the disk, traditional anti-malware software cannot detect malicious content being executed.
  • Windows Management Instrumentation (WMI) is a critical tool for IT departments, used legitimately to check the status of local or remote machines, or configure security settings etc. Because it is a powerful tool to access system controls and WMI events can run with high privileges (as SYSTEM), it is also targeted by the malicious actors to conduct fileless malware attacks. For more about exploiting WMI, you can refer article “Abusing WMI to Build a Fileless Backdoor“.
  • .NET Framework is another powerful and indispensable component in Windows environments. It can be used to create new processes/threads, allocate memory, write shell code or send ping commands etc. Attackers target .NET Framework due to its this rich and powerful capability set in executing fileless attacks.
  • Microsoft Office (MS) Macros is another attack vector for the attackers to run fileless malware scripts. By default, they are not enabled in MS Office applications. However, users can turn on them to automate their tasks in the MS Office applications.

Why is It So Important?

More and more attackers are moving away from traditional malware in an effort to circumvent the control measures used by modern anti-malware software. In fact, it is reported that more that 70 percent of today’s attacks comprise of fileless malware attacks. Moreover, fileless malware attacks are ten times more likely to succeed that the traditional file-based malware attacks.

How to Detect a Fileless Malware?

Obviously, file-based integrity checking or traditional signatures used for file-based malware will not help detecting the fileless malware. Instead, all event streams on an endpoint needs to be captured and assessed to determine the risk in the system to block an fileless malware attack. For this purpose, at a minimum, all the processes, request to run applications, changes to credentials and permissions levels, inbound and outbound network traffic need to be monitored to detect an attack by analyzing all of these data progressively.

How to Mitigate Fileless Malware Attacks?

Since attacks are initiated due to existing vulnerabilities on the system (operating system or applications installed), obviously, reducing the attack surface and updating/patching is the major defense mechanism against such attacks. Don’t forget to update your browser plugins too, since they are often neglected.

Quote by Bruce Schneier
Quote by Bruce Schneier

You can’t defend. You can’t prevent. The only thing you can do is detect and respond.

Bruce Schneier

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

For Windows platforms, Microsoft released the Antimalware Scan Interface (AMSI) to check the plain text scripts before they get executed. Moreover, AMSI can be used for not only PowerShell scripts, but also for a variety of other script types, including JavaScript and Visual Basic. To learn more about AMSI to defend against fileless malware attacks, you can read the article “How AMSI Helps You Defend Against Malware“.

As a preventative control mechanism, you can also remove or limit access to administrative tools such as PowerShell, through Windows Group Policy or Windows AppLocker.

Since fileless malware attacks are usually leveraging scripts, you should prevent browsers and applications from spawning script interpreters (such as PowerShell, JavaScript etc.).

Last but not least, you should use an anti-malware application that checks all event streams progressively on an end-point device to detect anomalies caused by such attacks.

To learn more about malware, you could also read our article What Is Malware and Its Types?