When we think of malware, we usually think of files: executable program files, infected email attachments, compromised videos from filesharing sites, and countless other variations.
Nobody likes malware, of course, but there’s something a little comforting about this. Files, after all, can be traced, analyzed, and deleted by antivirus programs, making it possible to prevent and recover from malware attacks.
But not all malware requires files to run. This fileless malware flies under the radar, evading detection as it carries out its destruction before disappearing without a trace.
What Is Fileless Malware?
While traditional malware arrives on your hard drive as a program installer, PDF, Word document, or other files, fileless malware never arrives on your hard drive at all.
Rather, it remains in your computer’s temporary memory, where it manipulates your operating system’s basic functions into doing its bidding.
Here’s a look at the structure and outcome of a fileless malware attack, from initial infection to the sometimes devastating aftermath.
Fileless Malware Infection
Fileless malware attacks, like other malware attacks, begin with a vulnerability — in your OS or software as well as in your emotions and behavior.
Phishing emails and their attachments are common origin points. They lure you in with social engineering tactics, tricking you into clicking a link or performing another action that opens a door for the attacker to enter your system.
Stay One Step Ahead of Cyber Threats
Fileless malware can also use unsecured or compromised networks to access your computer. Attackers can run automated scans that test every device on the network for a particular vulnerability, letting them quickly identify and gain access to potential victims.
Sometimes, fileless malware requires deeper access to a system than can be gained by these methods. The initial attack may therefore be intended to steal your login credentials, create a new user account or modify a system setting, after which the actual fileless malware attack can begin.
Fileless Malware Attack Vectors
Most fileless malware attacks rely on PowerShell, a built-in scripting platform for Windows. PowerShell is a legitimate tool that can be used to automate tasks and create small programs using command-line scripts that run in memory.
These features hold a lot of appeal for fileless malware attackers.
Because PowerShell is a trusted OS component, antivirus programs usually assume that any actions performed through it are above board. And because the commands execute in memory only, there’s nothing on the hard drive for an antivirus scan to detect.
If the attacker stole your credentials during the initial infection stage, they may simply log in to your computer remotely and execute the script just like a normal user.
PowerShell scripts are, as the name suggests, powerful. Not only can they control various aspects of the OS, they can download and install applications, communicate with other devices over the network, alter program settings, modify files, and even disable security features.
This allows attackers to use them for the same nefarious purposes as other malware. Fileless malware scripts can harvest and steal passwords, intercept network traffic, record credit card numbers, download other malware onto your computer, and even encrypt your files until you pay a ransom.
Though PowerShell is the most common tool exploited by fileless malware, it’s not the only one. The Windows Management Instrumentation (WMI) infrastructure, Visual Basic and .NET framework are also used, and malicious memory-only scripts can also be implemented on macOS and Linux.
Fileless Malware Persistence
Because fileless malware runs only in memory, its window of opportunity for attack is very limited. RAM is constantly being overwritten, so fileless malware may have just a few hours — or even minutes — to perform its tasks before it’s erased.
If the malware is designed to run quickly and gather the data it needs in one shot, that may be all the time it needs.
But attackers often want the ability to run their scripts repeatedly, or perform tasks that require more time than permitted by your RAM. And they don’t want to have to carry out the previous steps of the attack over and over again.
In these instances, they use clever tricks to make their fileless malware persist on your machine — and still avoid leaving behind any files.
This often involves modifying the registry, an extensive database of Windows settings that controls just about all of the OS’s behavior.
By creating new registry keys or modifying existing ones, attackers can configure the OS to run their malicious scripts automatically when your computer starts up. The registry may also be modified to create a permanent backdoor, allowing the attacker to access your computer at any time, for any purpose.
Fileless Malware Detection and Consequences
Fileless malware is especially alarming to cybersecurity experts because it’s so hard to detect.
Typical antivirus scans ignore official-looking system processes, registry behavior, and PowerShell scripts. And because actively scanning the RAM is extremely resource-intensive, most scans only examine data that’s written to the hard drive.
Advanced enterprise-grade antivirus software is capable of monitoring the entire system for active signs of suspicious activity, making it the most effective means of preventing a fileless malware attack. But most consumer antivirus software almost never detects fileless malware.
And the esoteric nature of a fileless malware attack — registry modification, process hijacking, deep system backdoors — makes it next to impossible for even computer forensics specialists to remedy its effects.
Key Fileless Malware Takeaways
- While traditional malware operates from a file or files on your hard drive, fileless malware resides solely in your RAM, where it’s stored for just a short time.
- The majority of fileless malware uses Windows’ registry and built-in PowerShell scripting tool (or their equivalents on other OSes), disguising itself as legitimate system functions while carrying out its attacks.
- Fileless malware can do anything that regular malware does, including stealing files, harvesting personal data, corrupting your system and downloading other malware.
- Because fileless malware never writes itself to your hard drive, it can’t be detected or removed by most antivirus software.
History of Fileless Malware
The earliest fileless malware is generally considered to be Code Red, a worm first identified in 2001.
Targeting the Microsoft IIS web server, it exploited a buffer overflow vulnerability in which long request strings were interpreted by the server as executable code, with a variety of effects. Code Red was able to erase infected websites, launch denial-of-service attacks against other websites, and spread to other IIS servers.
Two years later, yet another Microsoft server product, SQL Server, was targeted by a fileless malware: SQL Slammer. This malware infected 75,000 machines in under 10 minutes, again exploiting a buffer overflow vulnerability and residing only in memory to avoid detection.
Fileless malware made headlines again in 2012, when an unnamed bot running only in memory exploited a Java bug to install the Lurk banking Trojan. Lurk was designed to steal money from Russia’s largest banks, amassing over $45 million USD over 4 years.
But interest in fileless malware truly spiked in 2017, when hackers used it to breach Equifax and expose the personal information of over 147 million Americans. The malware issued commands via a vulnerability in the Apache Struts web application framework, allowing the attacker to steal Equifax’s credit monitoring database.
Fileless Malware by the Numbers
In 2017, 77% of all data breaches involved at least one fileless malware component
Fileless malware attacks are 10 times more likely to succeed than file-based malware attacks
In 2018, fileless malware attacks increased by 1,000% — and in 2019, they increased again by nearly 900%
93% of security researchers consider fileless malware more dangerous than file-based malware
Famous Fileless Malware
The Duqu 2.0 Malware
The Stuxnet worm, infamously created by the US and Israel to use against Iran, has inspired many successors since its discovery in 2010. And one of these successors, Duqu, has a successor of its own: Duqu 2.0, one of the most sophisticated examples of fileless malware ever created.
Originally deployed to gather intel on Iran’s nuclear talks in 2015, Duqu 2.0 was discovered after it infected Kaspersky Lab, a cybersecurity company. Writing no files to the disk, it used memory-based Microsoft Word macros to access the infected system’s kernel, where it created backdoors and intercepted network communications.
The Poweliks Malware
Poweliks began as a file-based ad-click-fraud malware, secretly loading ads in the background and generating revenue for the creator with every “click.” But in 2015, it became fully fileless, using the Windows registry to store and execute its malicious code.
Each day, Poweliks loads up to 3,000 ads in secret, hogging the system’s memory without alerting the user to its presence. If any part of the malware is modified or removed, Poweliks is able to detect and restore it automatically, making it incredibly difficult to detect and even harder to remove.
What Is Fileless Malware? (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional