What is the fileless malware threat?

Anton P. | May 03, 2022

Fileless malware is not a traditional virus that relies on hard drive files to run. Instead, malicious payloads live in devices’ memories without anything delivered to a disk. The conventional antivirus tools work to no avail against such threats as there are no malicious files to detect.

What is the fileless malware threat?

Usually, fileless malware attacks exploit vulnerabilities on victims’ devices. Most well-known examples of such campaigns include high-profile targets like banks, financial institutions, and government organizations.

Fileless malware definition

Fileless malware is a unique malicious software exploiting legitimate programs to poison a device. It brings no files and has no footprint on the infected machine. Hence, its detection and removal require sophisticated security solutions.

Such threats are stealth attacks operating in memory without placing anything directly on machines. They use harmless utilities and libraries of the compromised machine to run the malicious payloads.

Here is a rundown of the main characteristics of fileless malware:

  • It contains no identifiable signature or code. Also, it does not exhibit behavior most antivirus tools try to detect.
  • It exploits benign applications and processes already present on an infected system.
  • It is a memory-based threat that exists in computers’ RAM. It does not rely on any files.
  • It is possible to use fileless attacks with other infections, like ransomware.

The prevention of fileless malware attacks involves many factors. One of the critical defense strategies is keeping software up to date.

Disregarding device and individual application updates is one of the major mistakes leading to fileless threat distribution. Since this type of malware leaves no traces on the devices, antivirus tools have no way of detecting the issue.

Fileless malware can seem like a relatively new phenomenon, but its roots date back to as early as the 80s. The main difference is that such threats have picked up steam over the last few years. In the first six months of 2021, fileless attack detections deriving from engines like PowerShell reached 80% of attacks in 2020.

How does fileless malware operate?

Let’s examine how the fileless malware enters and affects a target system:

  1. A target encounters a social engineering scam. It can be anything from a misleading email letter to a random pop-up.
  2. They click on links integrated into the email messages or advertisements.
  3. Once users get redirected to a website, it loads Flash and exploits known vulnerabilities on target devices.
  4. Flash launches the Windows PowerShell tool, running commands while operating in memory.
  5. The malware executes a payload in memory by feeding devices instructions via the command line.
  6. PowerShell downloads and runs malicious scripts from a botnet or other tainted source.

So, fileless malware does use well-known distribution techniques like malicious links. However, instead of installing a new file, it exploits software already residing in the targets’ machines.

Furthermore, fileless threats cannot enter a device without a vulnerability it can exploit. Most fileless malware incidents use administrative operating system tools like the PowerShell framework.

Common distribution ways for fileless malware

Fileless malware is a sneaky infection that can arrive at computers through some highly stealthy techniques. Here are some of them:

  • Exploit kits. An exploit represents a method perpetrators use to gain access to systems. That could include a vulnerability in a program that already exists on the targeted system.
  • Malicious macros. Fileless malware can initiate the attack via malicious macro code embedded in archives or files. That includes JavaScript or VBScript and seemingly harmless Office or PDF documents. Enabling macro scripts could lead to the abuse of PowerShell to execute other scripts and drop payloads.
  • Stolen passwords. Another way for fileless malware to arrive on victims’ devices is breached or weak passwords. Then, culprits can access systems like regular users and exploit the applications already present on them. They can use Windows PowerShell to run commands and establish persistence by hiding code in the registry or the kernel.

Use cases: what fileless malware aims to achieve?

The goals behind a fileless attack can differ. It can steal data independently or rely on other parasites to cause damage to a device. However, the main appeal of this method is its ability to operate stealthily and avoid detection.

  • Getting access to a device. Fileless malware can be a technique for taking over a machine and issuing specific commands. It is a starting point for pursuits like capturing data.
  • Stealing users’ credentials. The gained access helps to elevate hackers’ privileges on a device further. Such powers can lead to the theft of credentials.
  • Establishing persistence. It is possible to stop fileless malware by restarting the infected computer since the malicious code exists strictly in memory. However, culprits already employ additional changes to fight this. They can plant entries to the system registry and set up scripts to run even after reboots.
  • Stealing information and files. Fileless malware can also collect everything that the attackers find helpful. It could include system configuration details.
  • Dropping malicious payloads. The initial attack can inject other parasites into the compromised device. A similar approach of loading them into memory directly is possible. However, other viruses can come as files as well.
  • Fileless ransomware. This scenario involves culprits embedding malicious code in a document using a native scripting language such as macros. It is also possible to write it straight into memory using exploits. Then, the ransomware takes advantage of legitimate administrative tools to encrypt files. Through all this process, nothing gets written to disk.

Best practices to protect devices from fileless malware

Preventing and detecting fileless malware attacks are not easy tasks. Additionally, their removal requires sophisticated security solutions. However, coordinated steps can help you avoid having your device compromised by this threat:

  • Never delay updates for your operating system and individual applications.
  • Use PowerShell version 5 (or higher). It offers improved security and logging capabilities. This change lets you control and handle Windows-based environments better. It is also possible to craft lists of triggers according to commands in malicious PowerShell scripts.
  • Reboot your machine. Less sophisticated fileless malware will halt its processes after users restart their devices. It only works if the infection does not establish persistence.
  • Uninstall old applications or those you do not use. Fileless malware can exploit various benign applications. The fewer you have, the better you can manage the security of each program.
  • Be wary of macros. Enable macros only for trusted Microsoft Office documents. It will prevent potentially dangerous code from running. If you need to enable macros, modify the settings only to allow digitally signed macros.
  • Do not click on random links. Phishing and unsecured websites are some of the strategies used to distribute fileless malware. Do not click on anything you have not verified to be legitimate.
  • Consider applying multi-layered protection. 2FA and strong passwords are one of the ways to prevent fileless threats. Furthermore, you can get security products that detect and prevent such infections in memory.
  • Protect possible entry points. Many common malware-distribution techniques can deliver fileless threats. Therefore, it is essential to know how to deal with spam, detect fake URLs, and manage vulnerable third-party components like plugins. You can also enable the Atlas VPN Shield feature to block access to potentially dangerous websites and ads. It also defends against phishing, malware, spyware, ransomware, cryptojacking, and telemetry/analytics tracking.
Browse safely & anonymously with a VPN

Browse safely & anonymously with a VPN

Encrypt your internet traffic and defend against online snooping, hackers, governments, or ISPs.
Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.



© 2023 Atlas VPN. All rights reserved.