What is Fileless Malware?
Fileless Malware Definition
What is fileless malware? Fileless malware is malicious code that works directly within a computer’s memory instead of the hard drive. It uses legitimate, otherwise benevolent programs to compromise your computer instead of malicious files. It is “fileless” in that when your machine gets infected, no files are downloaded to your hard drive.
This makes fileless malware analysis somewhat more difficult than detecting and destroying viruses and other forms of malware that get installed directly on your hard drive. Because fileless malware attacks require no malicious files, traditional antivirus tools that perform hardware scans to locate threats may miss them altogether.
This does not mean fileless malware detection is impossible, however. Fileless malware includes code that does several things regular viruses can do, including data exfiltration. These kinds of malicious activities can trigger a scan. Then security personnel can start fileless malware mitigation steps, which often involve scanning the command lines of trusted applications, such as Microsoft Windows PowerShell, which is used to automate tasks. In a sense, even though fileless malware can run, it cannot hide.
How Does Fileless Malware Work?
Fileless malware works by going straight into your computer’s memory. This means the malicious code never enters your hard drive. How it gets there is very similar to how other malicious code gets into your system.
For instance, a user gets tricked into clicking on a link or an attachment that a hacker puts inside a phishing email. The attacker may use social engineering to manipulate the emotions of the victim and get them to click on the attachment or link. The malware is then introduced into your system and begins to move from one device to another.
Attackers use fileless malware to gain access to data they can either steal or use to sabotage the operations of an organization. Fileless malware hides by using applications administrators would usually trust, such as Windows script programs or PowerShell. Often, these are among the applications an organization whitelists. Fileless malware is not a rogue program sitting in a file all its own on your hard drive—instead, it corrupts a trusted program, making it more difficult to detect.
Fileless malware’s strongest “attribute,” at least from the perspective of attackers, is they do not have to try to evade antivirus programs to get it on your computer. This is because fileless malware alters the command lines, which are lines of code that tell programs what to do. A regular antivirus program may not be able to identify the threat because there is no anomalous file associated with it.
Types of Fileless Malware Attacks
There are a few different kinds of fileless malware attacks, but they tend to fall under two primary categories: memory code injection and Windows registry manipulation.
Memory Code Injection
With memory code injection, the malicious code that powers fileless malware gets hidden inside the memory of otherwise innocent applications. Often, the programs used for this kind of attack are essential to important processes. Within these authorized processes, the malware executes code.
In many cases, these kinds of attacks use vulnerabilities in programs, such as Flash and Java, as well as browsers. It is also common for a hacker to use a phishing campaign to penetrate the victim’s system. Once the malware has gained access, it executes code inside the target computer's memory, not from within an app designed by the attacker.
Windows Registry Manipulation
With Windows registry manipulation, the attacker uses a malicious link or file that takes advantage of a trusted Windows process. After a user clicks on the link, for example, the Windows process is then used to write and execute fileless code into the registry.
Similar to memory code injection malware, by manipulating the registry instead of working through a malicious application, this kind of fileless malware can hide from traditional detection tools, such as antivirus software.
Top 5 Fileless Malware Attacks
Fileless malware has been gaining in popularity—primarily because it can circumvent traditional antivirus technology, making it easier for attackers to spread it, especially because regular cybersecurity mechanisms may never see the attack coming.
The top five fileless malware attacks include:
- Number of the Beast
- The Dark Avenger
- Duqu 2.0
How To Detect Fileless Malware Attacks
When figuring out how to prevent fileless malware attacks, the first thing to keep in mind is that regular antivirus software may not work. In addition, methods such as sandboxing and whitelisting will also be ineffective, primarily because there is no typical file signature that these kinds of programs can detect and mitigate.
Here are some ways you can identify a fileless malware attack:
Use Indicators of Attack Instead of Indicators of Compromise
Looking for indicators of attack (IOAs) is an effective way to detect fileless malware. That is because you identify the activity associated with the malware as opposed to a specific file that has been introduced to your computer. This is different from indicators of compromise (IOCs) analysis because you are not looking for suspicious files—rather, you are checking your system for abnormal activity.
Some examples of suspicious activity include abnormal code execution and lateral movements. Lateral movements involve code moving from one component to another after it has penetrated your network.
By studying these elements of an attack, you are focusing on the behavior of the malware instead of file signatures that could indicate the presence of a traditional virus, for example.
Use Managed Threat Hunting
Managed threat hunting takes the grunt work of finding and addressing threats off your shoulders. Instead of manually going through your system to find fileless malware, you hire an experienced company that can locate and mitigate it for you. You can also use a managed threat hunting service to continuously monitor your system. In this way, as soon as suspicious activity happens, they can flag and address it.
How To Prevent Fileless Malware Attacks
Preventing fileless malware attacks involves focusing on the vulnerabilities they typically take advantage of. For example, because fileless malware tends to use trusted applications, a cybersecurity company can look for applications running within your environment in an abnormal way. This could indicate that they are being used in a fileless malware attack.
Also, by using IOAs, it is possible to not only identify fileless malware, but you can also stop it from spreading or completing the attack sequence.
How Can Fortinet Help?
A powerful way to stay a step ahead of fileless malware is to prevent it from getting onto your system in the first place using web filtering. FortiGuard, an artificial intelligence-powered web filtering service from Fortinet, can block the phishing emails that fileless malware attacks often depend on. This enables you to keep fileless malware out of your system, preventing it from accessing trusted processes.
Is fileless malware a virus?
No, fileless malware is not a virus, and it cannot be detected with traditional antivirus technology.
How is fileless malware delivered?
Fileless malware is typically delivered using malicious links or attachments sent through a phishing email.