Industry Trends

Fileless Malware: What It Is and How It Works

By Aamir Lakhani | August 01, 2022

Fileless malware uses a computer system’s built-in tools to execute a cyberattack. In other words, fileless malware takes advantage of the vulnerabilities present in installed software to facilitate an attack. This type of malware does not require the attacker to sneak malicious code onto a potential victim’s system’s hard drive to be successful. Therefore, fileless malware can be extremely hard to detect—and extremely dangerous.

This blog will outline the basics of what fileless malware is along with the stages of an attack, the common techniques used by cybercriminals employing fileless malware, and tips for detecting these types of threats.

What is Fileless Malware?

Fileless malware is a threat that doesn’t exist on disk. Typically, when malware is on disk—what I mean by on disk, is malware loaded onto a machine’s SSD (solid state drive) or hard drive—and it physically exists, it’s much easier to detect by security software. Also, it can be examined by security researchers, especially if it’s a complex threat.

Obviously, attackers don’t want their malware to be analyzed by defenders, who would then be better able to defend by reverse engineering the malware. So, the best way for the bad guys to keep their fileless malware effective and not have it analyzed is to make sure it’s not on disk. Hence, the rise of fileless malware.

If Fileless Malware Is Not on Disk, Then Where Is It?

Naturally, your next question about fileless malware is “Where in the world does it exist if it’s not on disk?” Basically, it exists in memory. Over the years, sophisticated attackers have used a variety of techniques to inject memory with their vilest malware.

Frodo and The Dark Avenger are early examples of fileless malware. Frodo was created in 1989 and was initially mean to be “a harmless prank.” Eventually, it that was exploited. That same year, The Dark Avenger was also discovered. It’s a type of attack that was used to infect executable files every time they were run on an infected computer. Even the copied files would get infected.

Today, fileless malware has become so advanced that the code they inject in memory executes and downloads new code in memory. Fileless malware does not require files to launch, however, it does need to modify the native environment and tools that it tries to attack. This is a much more advanced way of using fileless malware.

Fileless malware does not require files to launch, however, it does need to modify the native environment and tools that it tries to attack.

Using this technique to execute makes it very difficult for security software to figure out what the fileless malware is executing because there’s so many things happening in memory—so many normal operations that are being run—that it’s complex and hard to examine and get a handle on what’s happening. Security solutions simply can’t get a baseline on whether something malicious is occurring or not. This is what makes fileless malware very effective.

If It’s so Effective, Why Don’t We See More Fileless Malware Attacks?

We are seeing more than in the recent past, but one of the downsides for attackers trying to use fileless malware is that it is more complicated than traditional malware. To create and execute fileless malware, attackers require a higher level of skills. This is why when you do see fileless malware attacks, they are typically associated with state-sponsored threats or the most sophisticated cybercriminals.

To get the same capabilities and features that traditional malware have, fileless malware requires creators with strong skill sets. The challenge for them is that there’s limited space in a device’s memory and they don't have much disk space to work with. The malware in memory can only reside in an existing memory space that's already limited in functionality.

Fileless malware is not only difficult to execute, but attackers must find a place in memory for it. And this must work quickly because fileless malware is flushed from memory when the system is rebooted. To be effective, fileless malware attackers need the right set of circumstances.

What are the Stages of a Fileless Malware Attack?

Like a traditional malware attack, the typical stages of a fileless malware attack are:

  • Stage 1: Attacker gains remote access to the victim’s system.
  • Stage 2: Attacker obtains credentials for the compromised environment.
  • Stage 3: Attacker creates a backdoor to the environment to return without needing to repeat the initial stages.
  • Stage 4: Attacker prepares for data exfiltration by copying information in one location and then compressing it—using readily available system tools like Compact.

What is the Most Common Fileless Malware Technique?

Cybercriminals that use fileless malware need to access the system in order to modify the native tools and launch attacks. Currently, stolen credentials are still the most common technique that attackers use to gain access.

Anytime you hear about credentials being stolen or usernames being hacked or credit card information being lifted, I wouldn't be surprised if there's at least some component of fileless malware involved.

Once fileless malware has gained access to a system, it can begin launching traditional malware. The techniques listed below tend to be more successful when combined with fileless malware:

How Do You Detect Fileless Malware?

The best way to detect and defeat fileless malware attacks is to have a holistic approach with a multi-layered defense posture. An organization’s best practices for detecting fileless malware threats should include employing indicators of attack (IOAs) along with indicators of compromise (IOCs) and leveraging their security solution’s threat hunting capabilities.

Because fileless malware uses a system’s built-in tools to facilitate attacks and cover its tracks, cybersecurity teams must be aware, remain vigilant, and know the different methods attackers employ in carrying out these fileless malware attacks. It’s all about gaining visibility on cybercriminals that are trying hard to hide in a system’s memory.

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.