Fileless malware: Definition and detection

What is fileless malware?

Fileless malware is not the name of a specific threat — it’s a method of distributing and executing malware on the victim’s device.

Traditional malware installs a file on your device to execute commands, steal your data, and monitor your activities. Fileless malware works only in your computer’s memory, which means that it writes nothing to your hard disk. The attacker exploits a vulnerable application and injects code into the main memory.

It can be hard for traditional antivirus software to detect these types of threats. Therefore, fileless malware should be taken seriously.

Technical details

Attackers exploit vulnerabilities in software that is already installed on a computer, such as a PDF viewer, Microsoft Office, or a flash player. Once hackers get inside the system, they use Windows Management Instrumentation (WMI), which gives admins access to system monitoring tools, or PowerShell (a task automation and configuration management application) to conduct their attacks.

When the .NET framework was introduced to Windows, threat actors started to use this framework to communicate with the operating system and exploit vulnerabilities in software.

Fileless malware is usually delivered through phishing emails that contain a malicious link or an attachment. Usually, these types of campaigns target organizations or a specific individual, suggesting that malicious emails may be well crafted.

Types of fileless malware

Memory-resident malware

Memory-resident malware is stored in the computer’s RAM (random access memory). It runs in the background and provides threat actors with backdoor access.

Windows registry malware

Hackers use Windows registry keys to store and hide malicious code, which could sit undetected for years. After getting into the system, criminals exploit PowerShell to perform malicious activities. Powershell doesn’t log commands, so it can be hard to track the script executed on an infected computer even if you use firewalls and other antivirus software.

Rootkit fileless malware

Wrongdoers can get the administrator access to the victim’s device and then install rootkit malware. The malicious code is hidden in the operating system and allows malware to run without a file. While this type of malware is not entirely fileless, its behavior corresponds to the general characteristics of fileless malware.

A brief history of fileless malware

The origins of fileless malware date back to late 80s and early 90s when malicious programs, such as Frodo, Number of the Beast, and The Dark Avenger were discovered on the internet. What made these programs different from other malware is that once executed, they resided in the memory of an infected computer.

In 2001, a computer worm called Code Red emerged and attacked enterprise networks. It used a vulnerability in Microsoft Internet Information Services (IIS) to write commands to the server’s working memory. Code Red didn’t leave any files on the hard drive or other permanent storage. Estimates say that this worm caused billions of dollars in damages and infected thousands of computers.

In the last few years, fileless malware has seen a spike in prevalence. Since it’s hard to detect, hackers have started to use this type of attack more often. In 2017, a threat called Operation Cobalt Kitty was detected, which targeted an enterprise in Asia. According to security researchers, hackers sent spear phishing emails to the top management and compromised more than 40 computers and servers.

Criminals often use fileless techniques to deploy ransomware, which is also a growing threat.

The biggest attack

Meterpreter is an advanced penetration testing tool that writes itself in a compromised process instead of residing in the memory. In 2017, unidentified hackers exploited Meterpreter, deployed PowerShell scripts within the Windows registry, and used the NETSH utility to exfiltrate traffic from the victim’s machine.

Estimates say that more than 140 enterprises and financial institutions were affected around the world by this cyber threat. However, the real scope of the attack may be bigger because no bank wants to go public about getting hacked and risk damaging their reputation.

Fileless malware detection

If your computer is infected, you can often notice changes in its performance: it becomes slower, programs start to crash, additional software may appear on your hard disk, or suspicious pop-ups materialize out of nowhere. However, fileless malware is designed to sit silently on your device as long as needed to compromise your data. That’s why no obvious signs may appear that would lead you to suspect something’s wrong.

If fileless malware is almost undetectable, are there any ways to identify that you got hacked? By responding to the rise of fileless malware, Microsoft updated Windows Defender to detect suspicious activity from PowerShell.

IT admins should closely inspect network activity to see if hackers are exfiltrating data or establishing a connection with a botnet. Certain antivirus software can detect suspicious processes in your computer’s memory and tie these processes to malicious activities.

How to prevent your organization from cyber attacks

Train your staff. Many employees lack a proper understanding of cyber threats and have a hard time identifying common attack vectors. Regular training and email phishing simulations can highly improve your company’s security and mitigate the risk of getting hacked.

Update your software. Postponing software updates are more common than you think. Even the IT industry is full of horror stories about employees that have worked several years for a company and have never updated their operating system. Hackers love these lazybones because they can exploit a bug in software that was patched months or years ago. Our article on exploits will explain this in detail.

Manage administrative privileges. An employee should only access resources they need to perform their daily tasks. If a person with vast administrative privileges is hacked, it could be enough to compromise the whole network. However, if that person is authorized to access only certain resources, the damage may be much smaller.

Use a password manager. Using the same password for all your accounts is a straightforward way to lose your valuable data. If you want to create strong and unique passwords, get yourself a password manager like NordPass. It will securely store all your passwords, auto-fill them, and help to create unique ones.

Implement advanced security solutions. While Windows devices have native security software installed, it is not enough to protect your computer from all types of malware. Use additional software, like NordVPN, to secure your devices. Its Threat Protection feature makes sure that you don’t stumble into malicious websites or accidentally download malware.