Fileless Malware: Understanding the Invisible Cyberattack

Fileless Malware: What It Stands For?

Fileless malware, or non-malware, is a zero-footprint attack that does not depend on any malicious software to spread and infect the user’s machine. It, instead, finds existing vulnerabilities in the machine and takes advantage of it. Fileless malware illustrates the need for organizations to shift from a traditional protect/prevent security model to advocate an detection, one that incorporates threat intelligence, threat hunting, and blue/red/purple teams. This threat is an example of trying to defend against the “unknown unknowns.”

Fileless malware resides in the RAM of your computer and uses various malicious tools to get into safe and trusted processes such as iexplore.exe or adobe.exe. This is done to execute the attack and spread over to many systems in a short span of time.

This type of malware works on its own, which makes it difficult for any antivirus to detect, prevent, and remove it. The only solution to such an attack is to reboot the system, as the RAM stores data if your computer is on. However, the hacker can still use scripts to restart the computer and run the malware. The hacker can direct the vulnerability to steal data from your hard disk or extend the attack to other locations by using your Internet connection.

Characteristics of Fileless Malware

  • It has no identity and comes with zero footprint, which is why typical antivirus tools cannot detect it.
  • It has no particular behavior or pattern and, thus, cannot be detected by heuristics scanners.
  • It is also known as memory-based malware as it lives in the RAM.
  • It may be paired with other malware.
  • It uses legitimate processes to carry out the attack.
  • It uses the approved applications that already exist on your computer.

Purpose of Using Fileless Techniques and How It Works

When a malware is injected in a computer by using any random file, the action can be controlled, blocked, or removed by an antivirus already existing on that machine. However, if the attacker uses fileless malware, which can spread on its own accord, infecting by means of native processes, then it remains inaccessible. This type of malware comes with no footprint and therefore, cannot be detected by the antivirus.

A survey was performed by Barkly in association with Ponemon Institute on fileless cyberattacks, which revealed surprising outcomes:

The first half of 2018 has seen a 94% rise in fileless malware. [2]
Fileless attacks are 10 times more successful than file-based attacks. [1]
More than 50% of the surveyed organizations experienced at least one successful attack that compromised their data or IT infrastructure. [1]
A massive 77% of the surveyed attacks used exploits or fileless techniques. [1]
Fileless malware uses different attack techniques, launched by attackers, to exploit existing vulnerabilities. For example, when you click a banner ad that is actually a ‘malvertisement,’ it redirects you to a malicious site. The website then plays a Flash file and exploits vulnerabilities. Flash uses the PowerShell tool of Windows to execute a malicious code from a botnet and looks back for the data to send to the hackers.

The Scramble for a Solution

The success of fileless attacks has questioned the existing security norms of organizations, and many of them are looking for a replacement or supplementary security solutions beyond their traditional antivirus. The belief that the antivirus can detect almost all malware, including fileless malware, is now facing a challenge. As a result, a vast number of organizations are investing in new, preventive solutions.

“4 out of 5 organizations replaced or augmented their existing antivirus in 2017.” As reported by Barkly and Ponemon. [1]

Counter Measures to Combat Fileless Malware

If you want to stay away from fileless malware, then the best practice is to keep your software updated. Another measure is not to kill JavaScript, though it is a major channel for fileless malware. When you block the JavaScript, there are high chances that the content on many websites will go missing. Also, the JavaScript embedded in Windows can be called from within a web page in the absence of JavaScript.

Other measures that can be implemented to block fileless malware are as follows:

i) Practice email policies:
92% of malware attacks come through email.

  • Email links:

Luring someone to a malicious website through an email link is a common practice, and many get trapped, too. This way, the malware enters your Windows computer. Hence, caution employees against clicking email links. Draft and implement email policies with certain restrictions within the organization so that the entry of malware can be controlled.

  • Email attachments:

Educate your employees about the treatment of email attachments, such as PDF or MS Office documents.

PDF files are commonly used in business email, but they are also a preferred medium for spreading malware. Fileless malware are frequently delivered through PDF. If the PDF file is downloaded, the firewall might able to trace the malicious content. But, if it is opened without being downloaded, then the origin of the malware will be lost as soon as the PDF viewing tab is closed. Also, disable your PDF reader from activating JavaScript.

When an email message asks for macros to be turned on, then some employees tend to follow the instructions without a second thought. Spreading malware by turning on macros in Microsoft is a common practice. It is better that your employees do not get familiar working with macros, lest they might enable them in documents.

ii) Dealing with Flash:

Flash has become notorious for spreading malware through browsers. Most browsers have replaced Flash with HTML5 for video inclusion. Microsoft Edge will not accept Flash code, whereas other popular browsers such as Firefox and Chrome give you the option to block Flash, and the Internet Explorer will not load Flash if you have disabled ActiveX.

iii) Avoid using office Internet for personal purposes:

Make a policy of blocking the usage of official network for personal email or websites. Even though this sort of policy is unpopular, a separate Internet connection can be taken for personal use of employees during their break time. This way you can refrain from spreading the infection on the main network.

iv) Protect your browsers:

Make a policy asking employees to use only one browser so that you can install the corresponding browser protection application on each computer. Internet Explorer and Microsoft Edge can be protected by using Windows Defender Application Guard which is part of Office 365, and its script will defend against fileless malware attacks. Similarly, for Firefox or Chrome, install the Webscribe extension, which is mainly a VPN. The extension can also strip off social media Like buttons as they can be a potential vector to load PowerShell instructions.

v) Strengthen your identification

The existence of PowerShell is not the only reason for the fileless malware to spread, but it is also the weak user authentication on company networks and servers. A non-malware attack can spread quickly if installed on a system that is accessible throughout the network. Implementing two-factor authentication can be a preferred solution that prompts for a passkey and restricts emulation of the malware.

Fileless malware attacks have the potential to succeed 10 times more than file-based malware. It is so intuitively performed that it detects file-based malware and combines with it to make the attack more powerful and destructive. Discussions on the measures to be taken to prevent such attacks are now making their way into board meetings, as well. Organizations are looking to create a strategy that encompasses various security measures, such as antivirus, endpoint security, and employee training, to combat these threats.

The recent rise in cyberattacks is creating a lot of employment opportunities for enthusiastic professionals. Whether you belong to the IT sector or are looking to step into the cybersecurity industry, a certification can help you on your way. EC-Council offers a wide variety of cybersecurity certifications for various domains, such as ethical hacking, penetration testing, application security, and cyber forensic investigation. For more details, visit https://www.eccouncil.org/programs/.


  1. https://blog.barkly.com/fileless-attack-statistics-2017
  2. https://betanews.com/2018/08/28/fileless-malware-rises/
  3. >https://fitsmallbusiness.com/cybersecurity-statistics/
Editor's Note:
Reviewed by Christopher Williams, VP, Cyber Threat Intelligence at Worldpay and Jeff Sowell, Director, Information Security at Ericsson
get certified from ec-council
Write for Us