Fileless Malware: a New Type of Malware That Doesn’t Rely on Executable Files#

Fileless malware is a type of malware that does not rely on traditional executable files to infect a system. Instead, fileless malware uses existing system files and resources to infect a system and carry out its malicious activity. Fileless malware typically uses scripting languages like PowerShell or VBScript to execute malicious code. The malware code is injected directly into system memory, evading detection by traditional security solutions that focus on scanning files on disk.

Because fileless malware does not rely on files and leaves no traces, it is difficult to identify and delete with conventional anti-malware solutions. As a result, such malware is extremely resistant to computer forensic procedures. Once on the target system, the fileless malware can use system administration tools and processes to maintain persistence, escalate privileges, and move laterally across the network.

Various reasons for using fileless malware in cyber-attacks:

Stealth:#

Fileless malware takes advantage of legitimate system tools, making it extremely difficult to detect, prevent, or block.

Living off the land:#

Fileless malware exploits system tools that are already installed by default. Hence an attacker does not need to design and build custom tools on the target system.

Trustworthy:#

Because the system tools used by fileless malware are among the most widely used and trusted, security tools wrongly believe that they are being used for a legitimate purpose.

Types of fileless malware#

1. No file activity performed

This kind of malware will not require any writing of files onto a disk. Malicious code embedded within the firmware of a compromised device is one example.

2. Indirect File Activity

This type of malware attains fileless presence on the target machine using existing files. For example, an attacker can inject a malicious Powershell into WMI repository to configure a filter that executes periodically.

3. Required Files to Operate

This type of malware required files to operate but does not execute attacks from that file directly.

Fileless Techniques used by Attackers#

  • Legitimate applications: Attackers exploit legitimate system applications and packages which are installed on the target system, such as word, javascript, and Powershell, to run the malware.

  • Malicious websites: Attackers develop fake websites that appear to be authentic. When a victim visits such a website, it automatically checks the victim’s system for plugin vulnerabilities that attackers might exploit to run malicious code in the browser’s memory.

  • Native applications: Windows operating systems include pre-installed tools such as PowerShell and Windows Management Instrumentation (WMI). Attackers use these tools to install and execute malicious programs.

  • Infection through lateral movement: Once the fileless malware has infected the target system, the attackers use it to travel laterally over the network and infect other systems connected to it.

  • Memory code injection: Memory code injection is a technique used by attackers to insert malicious code into a process’s memory. This allows the attacker to execute code with the same privileges as the process. This technique can be used to bypass security mechanisms that only allow code to execute from certain locations, such as code signing. Local shellcode injection, remote thread injection, process hallowing, and other code injection techniques are used by attackers.

  • Registry manipulation: This technique is used by attackers to inject and run malicious code directly from the Windows registry via a legitimate system process. This enables attackers to evade UAC, application whitelisting, and other security measures.

Fileless malware prevention methods#

  • Disable PDF readers to run JavaScript automatically.

  • When not in use, disable PowerShell and WMI

  • Remove all the administrative tools and restrict access through Windows Group Policy or Windows AppLocker

  • Disable Flash in the browser settings

  • Disable macros and only use trustworthy macros that have been digitally authenticated.

  • Regularly update the OS with the latest security patches

  • Use application control to prevent Internet browsers from spawning script interpreters such as PowerShell and WMIC

See also

Want to learn practical Malware Analysis? Enrol in MCSI’s MRE - Certified Reverse Engineer Certification Programme