Under Attack? Contact Us Start a Free Demo
Under Attack? Contact Us Start a Free Demo
,
Morgan Fitzgerald
9 July 2022

What is a Fileless Malware?

What is Fileless Malware?

The phrase “fileless malware” refers to a type of malware that does not require a file to be used to execute the code; instead, it leverages the resources already present on the file system of the endpoint. It is typically injected into some running process and executes only in RAM. Since there are no files to scan and the footprint is small, traditional antivirus software has a hard time detecting or preventing these attacks. In modern adversarial warfare, adversaries are becoming more adept at designing sophisticated and targeted malware to evade defenses. Most security solutions fail to detect and prevent fileless malware.

How does Fileless Malware work?

Fileless malware is most commonly spread through spam links within an email message or fraudulent website. Once the user clicks the malicious links or downloads the infected legitimate-looking document, the malicious code will be executed in the background using Windows inbuilt processes, connecting to the C2C server to download the actual malware.

Fileless malware leverages trusted, legitimate processes (LOLBins) running on the operating system to perform malicious activities like lateral movement, privilege escalation, evasion, reconnaissance, and the delivery of payloads.

The majority of fileless malware takes advantage of Windows PowerShell to load scripts directly into memory rather than writing them to the disk (where they can be detected by most malware scanners). In addition to executable files, there are many other ways to run code on devices. The majority of these methods make use of OS-available processes.

Some examples are:

  • VBScript
  • JScript
  • Batch files
  • PowerShell
  • Windows Management Instrumentation (WMI)
  • Mshta and rundll32 (or other Windows signed files capable of running malicious code)

In addition, another type of attack that is common and considered fileless is malware hidden within documents. A malicious PowerShell command could be launched by an infected document. Additionally, other few built-in mechanisms allow code execution within documents, such as macros and DDE attacks.

Stages of Fileless Malware Attacks

In contrary to the traditional file-based malware, fileless malware consists of the following stages:

  • Victim clicks a malicious link or downloads the malicious document in phishing or spam email.
  • The malicious embedded code/script leverages inbuilt Windows processes like PowerShell, WMI, Wscript, etc., to connect to the C2C server and download actual malware. This actual malware can be a backdoor, virus, rootkit, ransomware, etc.
  • Then the actual malware attempts to evade the defenses, establish persistence, and perform lateral movement.
  • Implement the attacker’s intent, ranging from data exfiltration, system corruption, or encrypting the computer file system, making it inaccessible to the legitimate user.

How to Detect Fileless Malware?

Cyber security threats and fileless malware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, rootkits, file-less malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.

Start a Free Demo

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).

Tags

CISO CISO Viewpoint Cybersecurity 101 Digital Forensics EDR NEWS Red Teaming Threat Intel & Research ThreatResponder

Featured Articles

ThreatResponder

Why Cyber Attacks are Increasing in 2024? How Can You Stay Protected

19 April 2024
Threat Intel & Research ThreatResponder

Defending Against Volt Typhoon: A State-Sponsored Stealthy Threat to Critical Infrastructure

6 April 2024
Threat Intel & Research ThreatResponder

Prevent Phobos Ransomware Attacks with ThreatResponder

5 April 2024
ThreatResponder

ThreatResponder, an AI-based Integrated Endpoint Security Solution Launched in South Korea

14 March 2024
ThreatResponder

Growing Chinese Threat To U.S. Cyber Security: How to Protect Your Business?

8 February 2024
Threat Intel & Research ThreatResponder

5 Cybersecurity Predictions for 2024

16 December 2023
CISO CISO Viewpoint

ThreatResponder: CISO’s Trusted Partner in Preventing Cyber Incidents

22 September 2023

TRY ThreatRESPONDER

Stop Advanced Cyber Attacks, Data Breaches, and Insider Threats

Start a Free Demo

Related Articles

CISO CISO Viewpoint

Why CISO’s are choosing ThreatResponder over others?

Morgan Fitzgerald
19 March 2024
CISO CISO Viewpoint

Top 10 Challenges Redefining the CISO’s Role in 2024

Morgan Fitzgerald
8 January 2024
CISO CISO Viewpoint Threat Intel & Research

Russia-Ukraine War: How Geopolitical Storm is Impacting Your Cybersecurity in 2023?

Morgan Fitzgerald
26 September 2023
Close

Computer Forensics Investigation

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed vulputate velit mi, non hendrerit justo varius ac. Cras gravida, dolor vel pulvinar tempus, erat massa facilisis tortor, in lobortis dui arcu at ligula. Nunc consequat arcu non lobortis eleifend. Vestibulum vel metus finibus, semper nunc nec, tristique felis. Donec auctor vestibulum sapien. Mauris tristique eget metus in vulputate. Etiam nec tempor odio. Praesent quis commodo metus, eu fringilla ipsum. Fusce quis aliquam mauris, vel sollicitudin ex. Praesent sed imperdiet sapien, vitae interdum turpis. Cras mollis nisi at lorem eleifend viverra at vitae est. Mauris luctus sem in arcu pharetra suscipit. Aliquam id eleifend elit, in ullamcorper neque. Nam gravida urna et ipsum fringilla lobortis. Vivamus eget fermentum purus. Duis est nulla, interdum sed iaculis eu, ultrices a arcu. Donec commodo, diam