What Is Fileless Malware?

Most people think of malware as malicious executable files downloaded from an email or the web, but fileless malware adds a new twist to data protection. Instead of using files that load every time a user boots their system, fileless malware loads from the Windows registry and boots directly into memory or loads malware using malicious code stored in a document. Fileless malware is built to bypass antivirus software, so it takes additional layers of security to stop it.

What Is Fileless Malware?

Fileless malware is a type of malicious software that operates entirely within a computer's memory, meaning it doesn't create any files on the hard drive. With traditional malware, the malware author compiles an executable and must find a way to deliver it to a target. For example, the malware author could craft an email message to convince a data centre employee to open a script that will then download the executable. The executable loads malicious code into memory. Every time the user reboots, the executable file is reloaded into memory.

Fileless malware is much more lightweight than file-based malware. With fileless malware, the code is loaded into the Windows registry, or malicious code is loaded into memory with no executable file necessary. For example, a PowerShell script could be loaded into server memory and used to send data to an attacker-controlled server on the internet.

How Fileless Malware Works

Most attacks start with a malicious phishing email, but attackers can also work with drive-by downloads hosted on their web servers. Another common way to start an attack is through social engineering. An attacker might contact a target by text message and convince them to open a web page with malicious scripts. Phishing from malicious redirects on the web or man-in-the-middle attacks on an evil-twin Wi-Fi hotspot are more rare but possible in malware attacks.

Fileless malware usually targets Windows machines, so PowerShell is the common scripting language used in these attacks. A user is first persuaded to run the PowerShell script—usually attached to an email message—and the PowerShell script executes instructions. The instructions could be to install ransomware, steal data from the user’s computer, silently listen for passwords, or install rootkits for remote control of the local machine. PowerShell can execute current applications installed on the user’s computer, so fileless malware can attempt to create a document with malicious code or inject malicious code into an existing document. When the user shares the document with another user, the malicious code executes and delivers its payload.

Common Attack Vectors

The most common attack vector for most payloads is phishing, and it’s the most common for fileless attacks too. To deliver a payload using email, the attacker must convince the user to open a malicious attachment or direct them to a website hosting the malware. Enterprise businesses should always have email security set up to stop these messages from reaching employee inboxes.

Microsoft Office documents can store macros and code to trigger activity when the document opens. Operations could be harmless, but malicious code stored in an Office document (e.g., Word, Excel, or PowerPoint) could perform a number of payloads. Payloads include stealing data, installing rootkits, or delivering ransomware to the local machine or the network environment. 

Social engineering could be a component in an attack. For example, a more sophisticated phishing attack usually has several attackers working to trick high-privilege employees like accountants or human resources staff. These targets have access to sensitive data, so threat authors can get much more return on their efforts. A threat author might team up with a social engineer and call a target to convince them to engage with a phishing email.

The Impact of Fileless Malware

Fileless attacks usually result in the loss of data or long-term backdoors where malware can persist even after eradication. For most organized cybercriminals, they work together to steal data. Ransomware is a common payload and can force organisations to pay millions to get their data back if they have no viable data backups.

Persistent threats often run for months before detection. These threats can be used to silently exfiltrate data. While persistent threats run, they usually create backdoors so that security staff can’t completely remove or contain them. After detection and eradication, network administrators might have a false sense of security while the persistent threat’s backdoors allow attackers to breach the environment again.

Most data breaches lead to revenue loss from litigation and compliance fines. Brand damage must be contained, and a loss in customer trust could also lower sales. Fileless malware is built to bypass detection, so it can be especially dangerous to business continuity and future revenue. 

Detection and Prevention Strategies

To avoid the aftermath of a fileless malware attack, early detection is crucial. Early detection avoids many of the disaster recovery requirements to clean up after a data breach. Monitoring tools installed on network infrastructure and endpoints (e.g., user mobile devices) can catch fileless malware before it’s loaded in memory. Network monitoring solutions will detect any anomalous behavior when malicious code tries to access sensitive files and data.

Intrusion prevention will automatically contain a threat. Monitoring detects malware and alerts administrators, but intrusion prevention takes cybersecurity a step further and automatically stops it from stealing data. Network administrators must still take action, but damage is mitigated with intrusion prevention and containment.

Current-day monitoring and prevention uses analytics and behavior patterns to detect malicious activity. For example, a file with sensitive data might only receive a handful of access requests throughout the year. When malware attempts to access files several times in a short period of time, detection solutions see this as suspicious activity and alert administrators. Zero-day threats can also be detected using anomalous benchmarks and discovery.

Conclusion

Fileless malware is just one of the many cybersecurity risks administrators must deal with. You can minimize and mitigate risks with the right monitoring tools, intrusion detection, and prevention solutions. Install endpoint detection and response (EDR) protection on all user devices, especially those that connect to third-party Wi-Fi hotspots. Finally, partner with a trusted technology partner offering solutions that protect your data and prioritize data protection.