Fileless Malware: What is it?

By Samudra Vijay In Blog, Cybersecurity

28

Feb
2018

Fileless Malware

A fileless malware infection is devoid of any files. It does not make use of any files in the process. It is a malicious code that subsists only in the memory of the target, instead of installing the malware in the hard drive of the target computer.

The process

The entire process of the fileless malware attack is encircled around the default Windows tools, especially the PowerShell and Windows Management Instrumentation (WMI). These tools are used for further malicious activity in order to move laterally other machines and attack them. PowerShell and WMI are the weapons of choice of any adversary, because of their easy availability on any and every Windows machine. They are installed on every machine and make an important component for carrying out various functions and commands. For instance, PowerShell is widely used to automate various tasks across multiple machines. Furthermore, these default Windows tools have been widely incorporated in the perpetual workflow of numerous IT professions, all over, thus, making them vulnerable and an easy choice of the adversaries. Also, because of their widespread use and need, it’s pretty much impossible to ban employees from using them. Thus, making these tools vulnerable and easy to target.

Furthermore, the use of legitimate programs, make these skillful attacks go unnoticed. They are pretty hard to be detected by even the most high-end security programs, and at times the skilled security analysts even fail to detect them. The reason for this being simple; it is presumed that any and every command these default tools execute are legitimate, because these tools, i.e., PowerShell and WMI are default legitimate Windows tools.

The shortcoming being that the attack can persist only till the system is not rebooted. Once the system is rebooted, the infection is lost along with the other data, since RAM is a volatile memory and it can sustain the data only till the system is powered up. But, the attackers may be able to hack the system; steal the data; or download more stubborn malware in the system, till the system is powered up, and the infection is live.

How it is different from other malware?

The fileless malware attacks, revolve around the default built in tools in the Windows systems instead of installing a software/malware on the targets system. Herein, the attacker, hijacks the default tools in order to successfully carry out the attacks. To be precise, Windows is turned against itself. No part of this attack is affects the hard drive of the target machine, implying that, it is very stubborn and resistant to the persisting Anti-computer forensic strategies, which are file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc. These attacks leave very little or as good as nil evidence, which makes it very difficult for the digital forensic investigators to identify the source, cause and effect of such illegal activity.

A fileless malware may start from a executable file and once the file runs, it will inject itself in the windows process and get rid of the original file or in other words it will delete all evidence of itself and then it will only run in memory which make it difficult to find.

This malware can encrypt your files and give you a text pad note saying that all your files. This malware also effects the network computers by searching for local network and if any other machine is connected to your network

Why it is difficult to detect?

Most antivirus software fails to detect these attacks, since there is no signature involved in the attack. The lack of a signature and a trail, makes it nearly impossible to detect these attacks, thereby, drastically reducing the effectiveness of these programs in detecting the fileless malware attacks.

Want to check out our guide on preventing and removing fileless malware? Visit our blog discussing the process here:

Varun Bindra
Service Engineer
SAM IT Solutions

Leave a reply