Fileless Malware

Fileless malware is a type of software that infects a computer via legitimate programs without relying on traditional executable files. Instead, fileless malware leverages tools built in to the operating system itself to carry out attacks — a technique called living off the land (LOL).

Since fileless malware doesn’t write any activity to the device’s hard drive, it leaves behind little evidence and is resistant to strategies such as time-stamping, file-based blocklisting and signature detection. 

The History of Fileless Malware

Although fileless malware has been around for a while, it emerged around 2017 as a mainstream cyberattack. Its roots can be traced back to terminate-and-stay-resident viral programs that resided in a device’s memory awaiting a system interrupt before gaining access to their control flow. Examples of these types of viruses include Number of the Beast, The Dark Avenger, and Frodo.

These techniques evolved and took on fileless nature by using in-memory injected network viruses such as Slammer and CodeRed. More evolved forms of fileless malware include Stuxnet and Duqu.

How Does Fileless Malware Work?

Fileless malware uses legitimate processes and admin tools such as PowerShell, Windows Management Instrumentation (WMI), and CMD to perform tasks like privilege escalation, lateral movement, payload delivery, and reconnaissance. 

In addition to trusted applications, fileless malware can execute through lateral infiltration, phishing emails, and legitimate-looking websites. 

While traditional malware is written to disk, fileless malware is written directly to RAM (random access memory).