How to Recognize and Successfully Resist Fileless Malware Threats

Artsiom Balabanau
Published 07/16/2021
Share this on:

Fileless malware

Cyber attacks pose a serious threat to any digital business. By using stolen credentials and compromised devices, hackers gain access to valuable information. Malefactors are becoming more and more cunning, finding loopholes in virtually any new technology. Cybersecurity Ventures predicts that, by 2025, costs for IT security services will rise to $10.5 trillion a year.

The use of fileless malware by hackers is growing at an incredible rate. According to Trend Micro, in 2019, the number of such attacks increased by 265%. What is this horrifying weapon – fileless malware? How can we combat it? We are going to discuss these issues in this article.


What is fileless malware?

Fileless or bodiless malware is a new method of infecting a device – a malicious program that leaves no traces on the hard drive, working entirely in RAM. Fileless attacks penetrate the network through common entry points: memory, PowerShell, Microsoft Office macros, Windows management interface, and so on.

To make it clearer, let’s take a look at how a computer becomes infected with standard malware. For example, a user downloads an infected file to their laptop. The virus gradually embeds in program files (command files, executable files, files with device drivers, etc.). The presence of such unwanted “guests” affects the speed of a computer: files and drives get damaged, programs stop functioning, and so on. The worst thing is that this malware can steal passwords, credit card numbers, and other confidential information saved in a browser.

How to Recognize and Successfully Resist Fileless Malware Threats Diagram 1
The most common ways a device can get infected with malware

Fileless malware is not considered a traditional virus. It works the same way but in RAM, without saving to a file or installing. Fileless “wreckers” go directly to the system, bypassing the hard drive.

The insidiousness of this malware also lies in the fact that harmless legal programs are used for infection – even tools for automating administrative and configuration tasks, such as Microsoft Windows PowerShell. Such a technique is called “living off the land.”

How to Recognize and Successfully Resist Fileless Malware Threats Diagram 2
Example of a fileless attack kill chain

The hidden threat of fileless malware was highlighted by Jen Miller Osborn, Deputy Director of Threat Intelligence at Palo Alto Networks. Attackers repurpose specialized programs that users have developed confidence in, which makes it much more difficult to find a virus.

Since malicious code penetrates memory, detecting it with antivirus software is difficult. This is only possible with a more complex dynamic analysis of the running system processes.

According to Ponemon Institute’s estimates, fileless attacks are about ten times more likely to succeed than traditional hacks. An example of one of the largest incidents involving fileless malware is the Equifax data breach, during which attackers stole hundreds of millions of people’s personal data. This type of hacking was used for the Democratic National Committee cyber attacks, after which sensitive documents were leaked onto the Internet.



Want more tech news? Subscribe to ComputingEdge Newsletter Today!



How does fileless malware work?

Fileless malware uses licensed trusted programs running in the operating system. For example, in December 2019, fileless malware for macOS was discovered, disguised as part of a cryptocurrency program called UnionCryptoTrader.dmg. A trojanized version of the legal application setup file was distributed from a cryptocurrency arbitrage website.

A fileless malware attack usually starts with a user’s action. A person receives a well-disguised spam message, clicks on the link, and is redirected to a malicious website. Next, the fake website initiates Adobe Flash – a common attack vector. Flash calls PowerShell and enters instructions on the command line into the user’s computer memory. One of these instructions connects to the C&C server and downloads a malicious PowerShell script that finds sensitive data and extracts it.

Fileless malware can enter a device’s memory in the following ways:

  • via emails, links, or malicious downloads that look legal;
  • via installed trusted applications (Microsoft Word or JavaScript);
  • via licensed programs (Windows Management Instrumentation (WMI) or Microsoft PowerShell);
  • via hacker websites, when a Flash plugin allows malicious code to run in the browser’s memory.

In this way, fileless malware is written directly into RAM, covering up its tracks after a system overload. This creates additional complexity in finding out the cause of the data leak.


Types of fileless malware attacks

Cyber security experts distinguish three main categories of fileless attacks:

1. Manipulations of Windows registry

This type of attack involves a malicious file or link. When you download such a file or follow the link, a normal Windows process starts to write and execute fileless code into the registry.

2. Memory code injection

This method involves hiding malicious code in the memory of legitimate applications. While the operating system is running, the malware is spreading and reinserting itself into processes. Since the “wreckers” use official Windows programs (for example, PowerShell and MWI), antivirus software can’t find anything wrong.

3. Script-based methods

Script-based methods may be only partially fileless, but they are still difficult to find. This is how the ransomware SamSam and Operation Cobalt Kitty work.

Fileless malware damages the system as long as it remains hidden.


How you can protect your company from fileless attacks

What makes fileless attacks so insidious also makes them elusive. As we mentioned above, an antivirus is not able to detect them because they take place in a computer’s memory. It is easy for cyber criminals to get away with that, as after a system reboots, the malware disappears. What should be done in this situation? How can people protect themselves and their businesses?

Speaking about personal security, fileless attacks often count on users’ unawareness. To prevent malware from entering your device, you need to be careful when downloading or installing applications, clicking on links, and opening emails. It is important to regularly update your computer and programs – this will prevent the use of common vulnerabilities.

When considering security within a business, enlisting the support of a vendor providing cyber security services is ideal. You won’t be able to protect yourself using traditional methods, but fortunately, there are new solutions:

  • Network detection and response

An NDR (Non-Delivery Report) solution uses a combination of Machine Learning and Artificial Intelligence to notice abnormal behavior of a network. By analyzing the network’s habitual state, the technology can detect unusual activity and underlying malicious behavior. When using an NDR solution for corporate purposes, it is worth finding a suitable option for a particular company, which will cover all the components of the environment: in the cloud, in the IoT segment, within the network, and so on. The technology configuration can take several weeks of passive learning, but the result is worth it.

  • Data streaming technology

Data streaming technology presupposes monitoring how one event affects another. Thus, cyber security staff can find out what triggered the event from the beginning. This approach is cloud-based because a large amount of data is generated. Such a solution provides the ability to use various methods for viewing streams of events, identifying risks, and developing policies to prevent and block future attacks.

  • Disabling macros

Complete disabling of macros prevents unsafe and untrusted code from running on the system. If macros are essential for the enterprise, you can approve the use of trusted macros and restrict the use of others.

  • Tracking unauthorized traffic

If you regularly monitor device security logs, you can discover unauthorized traffic on your company’s network. Behavioral analytics will point out unauthorized access attempts.



Malicious software can live on a company’s network for a long time before being revealed. The longer the hack goes unnoticed, the greater the damage from its consequences. RiskIQ estimates that losses due to phishing attacks amount to $17,700 per minute.

Traditional methods of fighting against malware programs are no longer as effective as they once were to protect networks from hackers. It is necessary to use a combination of tools and strategies that minimize the number of loopholes for attackers. Cyber security assessment services is one way you can have a comprehensive network audit of password policies, antivirus, firewalls, and data backups. A custom cutting-edge solution will help you ensure the safety of information and avoid tremendous financial losses.