What is Fileless Malware?


Traditionally, AV and other endpoint security products have focused on files (executables) to detect and prevent malware. There are several advantages to this. Files can be hashed, queried in reputation services, examined by both static analysis and machine learning, and easily excluded for false detections.

These advantages lead to a problem for attackers. The name of the game is money: Threat actors aim for cost-effectiveness, seeking the highest return for the least amount of effort. Yet the rewards for creating and delivering file-based malware diminish as soon as it ends up on public feeds. If the malware’s signature is detected two days after release, the attacker’s ROI (return on investment) may be significantly less than expected, or even negligible.

Because of this, threat actors have increasingly turned to fileless malware as a highly effective alternative.

Fileless Malware Explained

In 2017 fileless malware emerged as a new and stealthy threat that was crippling both individuals and enterprises alike.  Because it doesn’t require code to be installed on a target’s device, detection is nearly impossible.

As the name suggests, this type of malware is a malicious program that uses software already present on a computer in order to infect it. Since it does not rely on using files of its own, it can be notably difficult to prevent and detect. By extension, this also makes it difficult to remove.

In fact, these attributes are why hackers make use of them in the first place. Examples of how  this type of malware is utilized include the 2017 Equifax breach, one of the most notorious US data breaches.

Since this software often runs quietly in the background,  many victims are unaware that their machine has been infected until it’s too late. This makes this type of malware exponentially more likely to succeed in its objective compared to traditional computer viruses.

How Does Fileless Malware Work?

The most common form of Fileless malware in the wild is when a victim clicks on a spam link within an email or fraudulent website.

That link or website then loads the Flash application and implements a relevant exploit in order to infect the user’s machine. Afterward, the malware uses shellcode in order to run a command that allows it to both download and execute the payload solely within memory.

This means that there is no trace of its activity. Depending on the goals of the hacker, the malware could then compromise sensitive data, cause damage to the victim’s computer, or perform other harmful actions like data theft and/or encryption.

Hackers typically pose as a trustworthy or familiar source in order to convince the victim to click on the link they provide. This is especially effective within formal settings where the victim believes an employee or executive from their company is contacting them.

The key takeaway here is that this type of malware attack relies on social engineering in order to be successful.

Characteristics of Fileless Malware

This type of malicious software makes use of programs that are already on the computer. Its behavior can’t be detected by heuristics scanners and it has no identifiable code or signature.

Additionally, fileless malware resides within the memory of the system.

In order to function, it takes advantage of the processes of the infected operating system. More advanced fileless malware can also be combined with other types of malware to facilitate a complex attack. It can even circumvent both whitelisting and sandboxing under the right circumstances.

Stages of a Fileless Malware Attack

A fileless malware attack is fairly unique in the way that it functions. Understanding how it operates can help an organization protect against fileless malware attacks in the future. Let’s explore what you should know.

Malware Gains Access to the Machine

Before a threat actor is able to fully carry out their malware attack, they must first gain access to a victim machine, oftentimes with a phishing email or social engineering tactic. After doing so, they can begin to implement the additional stages of the process.

Another way to gain access to a victim’s machine is through compromised credentials. By stealing credentials, the hacker can have free access to the system and then use this information to access other environments. For example, gaining initial access to the machine may not provide the hacker with the privileges they need, but they may be able to procure the credentials that can get them this data.

The Program Establishes Persistence

After gaining access, the malware then establishes a backdoor that allows the hacker to access the machine at their leisure. The main purpose of this action is to avoid losing access to the device so information gathering can continue over long periods of time..

Data Exfiltration

The final stage is data exfiltration. After the attacker locates the information they need, the data is then exfiltrated to another environment. This allows them to procure sensitive data undetected over long periods of time and can work in a repeatable way as often as necessary.

How to Detect Fileless Malware

Fileless Malware is one of the most difficult threats to detect for traditional AV and legacy security products because it can evade legacy signature-based detection, whitelisting, and sandboxing security methods.

A good way to keep your organization safe from fileless malware is to have a threat hunting team actively searching for malware.

Indicators of attack are going to be masked and mixed within an organization’s environment. There are a variety of ways that this can appear in a system and it takes a deep understanding of threats to uncover fileless malware.

Common Fileless Malware Techniques

Having a strong understanding of different techniques will help you learn how to recognize an attack in the future.

Some of the most notable include:

  • False credentials
  • Fileless ransomware
  • Exploit kits

False Credentials

As the name suggests, this type of attack involves using compromised credentials from a legitimate user (aka – stolen username and password). After the hacker has gained access to the system, they then implement shellcode in order to facilitate their attack on the machine.

In extreme cases, they may even place code within the registry in order to establish ongoing access to the computer.

Fileless Ransomware

For those who are unfamiliar with this type of malware, ransomware is a malicious program that hackers use in order to extort money from their victims. They often encrypt sensitive data and threaten to delete it unless a certain amount of money is paid, often via cryptocurrency.

When this type of fileless attack occurs, hackers are able to carry out the attack without ever writing to the disk of the machine. This makes it difficult to discern until it’s too late.

Exploit Kits

Threat actors use a collection of tools known as exploit kits in order to take advantage of vulnerabilities on a victim’s computer. These attacks generally begin as a typical fileless malware attack would, meaning they often convince the user to click on a fraudulent link.

Once the program is able to infiltrate the machine, the exploit kit can scan the system to determine vulnerabilities to take advantage of and then come up with a specific set of exploits to deploy. Oftentimes, the malware will go undetected and gain extensive access to the system and data.

Malware Hidden in Documents are also Fileless-based Attacks

Beyond the fileless-based attack that uses system files to run malicious code, another type of attack that is common and considered fileless is malware hidden within documents. Although such data files are not allowed to run code, there are vulnerabilities in Microsoft Office and PDF readers that adversaries can exploit to obtain code execution. For example, an infected document could trigger a malicious PowerShell command. There are also a few built-in functionalities that allow code execution within documents, like macros and DDE attack.

How SentinelOne Can Prevent Fileless Malware Attacks For Your Organization

The SentinelOne Singularity Platform allows IT teams to quickly detect and respond to a fileless malware attack. Additionally, SentinelOne comes equipped with tools to help you prevent threats in the future.

Ready to learn more about SentinelOne? Feel free to reach out to us today and see how we can help.