Fileless malware: Definition, types, and detection

What is fileless malware?

Fileless malware is usually delivered through social engineering attempts, such as email phishing attacks. These types of campaigns are typically carefully designed to target specific people or organizations, making them more likely to succeed.

Since it takes advantage of tools that are already inside the device, fileless malware can be considered a LOL (living off the land) attack. In these attacks, cybercriminals exploit existing legitimate programs or scripts, known as LOLBins (living off the land binaries), to execute their malicious actions.

How does fileless malware work?

Fileless malware operates through a series of carefully orchestrated steps. It exploits the device’s resources to execute malicious activity without leaving a conventional trace on the hard drive. Let’s discuss the process in more detail.

1. The attacker sends a phishing email. The attack typically starts with an email or other phishing attack. This email is designed to deceive the recipient. It will contain a malicious link or an attachment that appears legitimate but is designed to trick the user into interacting with it.
2. The malware enters the device. Once the user clicks on the link or opens the attachment, the malware is activated. Instead of saving a file to the device’s storage, the malware runs directly in RAM (random access memory), which is used to store data temporarily while programs are running. To get into a device, criminals often exploit vulnerabilities in software that the user already has installed, such as document readers, PDF viewers, or browser plugins.
3. The malware exploits the admin tool. The malware then takes advantage of trusted operating system administration tools like PowerShell or Windows Management Instrumentation (WMI). These tools are frequently used for task automation and management, and because they are considered legitimate and essential, most security software does not block them.
4. The malware connects to the command and control center. Using these administrative tools, the malware connects to a remote command and control center, where it downloads and executes additional malicious scripts. This remote interaction allows the attacker to perform further harmful activities directly within the device’s memory.
5. Your data is sent to hackers. Finally, the malware begins exfiltrating data. It sends stolen information to the attackers and may also engage in lateral movement, spreading across the network to access and compromise other devices or servers within the same network.

Types of fileless malware

Fileless malware can take many forms, each designed to exploit vulnerabilities in different tools and software, all while avoiding detection. Let’s explore the different methods used in fileless attacks and how they can compromise your network.

Memory-resident malware

Memory-resident malware operates directly in the computer’s short-term memory (RAM) and does not create persistent files on the hard drive. It runs in the background and provides threat actors with backdoor access. Because memory-resident malware resides in this volatile memory, it remains active as long as the computer is running and can execute its malicious activities without leaving permanent files on the disk.

Windows registry malware

Hackers can hide malware in the Windows registry, a part of your computer where important settings are stored. By placing malicious code there, they can keep it hidden for a long time without being noticed.

Once they have access to your device, threat actors might use a tool called PowerShell to carry out harmful actions. PowerShell is a command-line tool that doesn’t keep a record of the commands it runs. This makes it difficult to track what the malware is doing, even if you have security software like firewalls and antivirus programs.

Rootkit fileless malware

Wrongdoers can gain administrator access to the victim’s device and then install rootkit malware. A rootkit is a type of malicious software designed specifically to conceal other forms of malware or malicious activity within the operating system. While the rootkit itself involves some form of file or modification, it allows the malware to operate without relying on visible files. This behavior corresponds to the general characteristics of fileless malware.

Fileless ransomware

With fileless ransomware, attackers use advanced techniques to embed malicious code directly into a computer’s memory or documents using native scripting languages. Once activated, the ransomware encrypts files on the victim’s device and demands a ransom for decryption, all while staying hidden.

A brief history of fileless malware

Fileless malware has been around since the late 1980s and early 1990s. Early examples like Frodo, Number of the Beast, and The Dark Avenger were different from other malware at the time because they operated directly from memory rather than relying on files stored on disk.

One of the first major fileless malware incidents was the Code Red worm in 2001. It exploited a weakness in Microsoft Internet Information Services (IIS) to run commands directly in the server’s memory. Estimates say that this worm caused billions of dollars in damages and infected thousands of computers.

In recent years, fileless malware has become more common because it’s difficult to detect, leading hackers to use it more often. One of the biggest fileless malware attacks happened in 2017 and involved Meterpreter, a security product used for penetration testing. Hackers used Meterpreter to inject PowerShell scripts into the Windows registry and exfiltrate data using the NETSH utility. This attack affected more than 140 companies and financial institutions worldwide, although the full impact remains largely unknown because of the sensitive nature of the breaches.

How to detect fileless malware

If your computer is infected, you will often notice changes in its performance — it becomes slower, programs start to crash, additional software may appear on your hard disk, or suspicious pop-ups come out of nowhere. However, fileless malware is designed to sit silently on your device as long as needed to compromise your data. That is why detecting it can be challenging. However, some strategies and tools can help you identify these threats.

Indicators of attack

Using indicators of attack (IOA) can help detect abnormal activity associated with fileless malware. IOA are signs or patterns that may suggest a system is under attack. Look for unusual behavior, such as unexpected changes in the device’s processes or unauthorized use of scripting languages like PowerShell. Keeping an eye on these signs can help you spot potential threats before they cause serious harm.

Managed threat hunting

Managed cyber threat hunting is about looking for and responding to threats that automated tools might miss. Skilled hunters analyze unusual patterns in your network to find signs of fileless malware. Tools like malware sandboxing and allowlisting are useful. Sandboxing allows you to run and observe potentially malicious code in a secure space, and allowlisting ensures that only approved programs can run, which reduces the chance of unauthorized activity.

How to prevent fileless malware attacks

Fileless malware may be hard to detect, but it’s possible to stop it with the right measures. Here are a few simple steps that can help you strengthen your defenses and lower the risk of fileless malware attacks.

• Train your staff. Many employees lack a proper understanding of cyber threats and have trouble identifying common attack vectors. Regular training and email phishing simulations can greatly improve your company’s security, reducing the attack surface and mitigating the risk of getting hacked.
• Update your software. Postponing software updates is more common than you think. Even the IT industry is full of horror stories about employees who have worked several years for a company and have never updated their operating systems. Hackers love these procrastinators because they can exploit a bug in software that was patched months or years ago.
• Manage administrative privileges. An employee should only access the resources they need to perform their daily tasks. If a person with vast administrative privileges is hacked, it could be enough to compromise the whole network. However, if that person is authorized to access only certain resources, the damage may be much smaller.
• Use a password manager. Using the same password for all your accounts is a straightforward way to lose your valuable data. If you want to create strong and unique passwords, get yourself a password manager like NordPass. It will securely store all your passwords, auto-fill them, and help to create unique ones.
• Implement advanced security solutions. While Windows devices have native security software installed, it is not enough to protect your computer from all types of malware. Use additional software, like NordVPN, to secure your devices. Its Threat Protection Pro feature makes sure that you don’t stumble into malicious websites or accidentally download malware.