What is Fileless Malware | EasyDMARC

What is Fileless Malware and How to Protect Against Attacks?

8 Min Read

Cybercrime has always been a threat to businesses, especially those relying on infotech. Its global cost reached $6 trillion in 2021, which is a scary statistic. Thus, corporate awareness about malware, phishing, scamming, etc., is a must.

So, in this blog post, we discuss one of the common types of malware on the rise lately: Fileless malware

Before we get into it: What is malware? Malware is short for malicious software used to enter a system to steal or intercept crucial data.

Read on to learn about fileless malware types, examples, and ways to spot and prevent it.

What is Fileless Malware?

Fileless malware is malicious software that doesn’t require any file to infiltrate your system. This is atypical of other malware, like viruses. Basically, attackers hide fileless malware within genuine programs to execute spiteful actions. 

Generally, fileless malware attacks aim to make money or hamper a company’s reputation. It’s relatively difficult to remove fileless malware as it’s memory-based, which means it doesn’t have any signature like file-based malware such as adware.

How Does Fileless Malware Work?

Now, let’s look at how fileless malware works

Fileless malware operates in the system’s memory without being stored in a file or installed on your device. Most hackers use Microsoft Windows PowerShell, a tool for automating tasks, to execute malicious actions.

Since it’s not file-based but rather memory-based, fileless malware doesn’t require a cybercriminal to load malicious code onto a victim’s system. Instead, bad actors exploit vulnerabilities on native tools to execute commands, code sequences, etc. that run on memory. 

This kind of malwareusually enters through a phishing email asking users to click or download a malicious link or attachment. It can also be injected or embedded directly into already-installed applications and other legitimate programs. This goes undetected by traditional security tools that typically scan files but not memory for anomalies indicating malware. 


Here are the four stages of a typical fileless malware attack.

Stage 1: Hackers Gain Remote Access

Just like other types of cyberattacks, a threat actor initiates a fileless malware exploit by establishing a foothold in the victim’s system.

Stage 2: Obtaining Credentials

After gaining remote access, they try different tricks to steal credentials of the compromised environment. This helps them move freely in the system and use fileless malware to fulfill their objective. 

Stage 3: Maintain Persistence

Next, cyberactors modify the settings to create a backdoor to return to the environment without repeating the previous steps. 

Stage 4: Data Exploitation and Escaping

Lastly, attackers steal or intercept compressed data and prepare for exfiltration. They may even encrypt data to attempt a ransomware attack.

Example of Fileless Malware

Operation Cobalt Kitty is one of the most popular fileless malware examples. In this, hackers targeted an Asian company to steal proprietary business information using phishing emails. They used PowerShell to hit more than 40 computers and networks to gain a foothold in the system.

What are the Types of Fileless Malware?

Threat actors are becoming more sophisticated and organized in planning and executing fileless malware attacks of various types. Here are some of them.

Exploit Kits

Exploits are codes, commands, or data, that are collectively called exploit kits. Hackers use them to spot and exploit vulnerabilities in an operating system or software. 

This is a common method to attempt fileless malware attacks as direct injection to the RAM (random access memory) is possible. Like with computer worms, malicious actors can automate this process.

Bad actors entice victims through social engineering or phishing emails containing malicious links or attachments. They then use exploit kits to scan and exploit vulnerabilities, often gaining total remote control over the victim’s system.

Registry Resident Malware

Registry resident malware self-installs in the Windows to stay active while remaining undetected. Usually, threat actors attack the Windows system through a dropper program that downloads corrupted files. However, in this case, the dropper itself writes malicious codes directly into the Windows registry. 

These spiteful codes are hidden in native files; hence it’s challenging to detect malware of such kind. This fileless malware can also get activated every time the Windows operating system launches. 

Memory-Only Malware

Memory-only malware stays in the device’s memory space only. It persists even when a victim reboots the infected device because it can re-execute itself. Registry entries and background intelligent transfer service or BITS tasks are the common mechanisms used for this exercise. BITS is a component used for downloads and uploads between devices and remote servers without degrading the network quality. 

One of the common memory-only fileless malware examples is Duqu 2.0, which resides in the memory. It has two versions; one allows an attacker to get a beachhead position, and the second helps in reconnaissance, lateral movement, and data exfiltration. 

Fileless Ransomware

These days hybrid malware attacks are on the rise. One of the common combinations is fileless malware and ransomware, collectively called fileless ransomware. Hackers implant malicious codes in documents and inject them directly into the systems’ memory using exploit kits.

Then they encrypt crucial data and demand ransom in exchange for the decryption key. Thus companies should know how to prevent fileless malware attacks and ransomware by regularly backing up crucial data. 

Stolen Credentials

At times, threat actors use other malware, such as trojan viruses, to steal user credentials and attack by disguising themselves as legitimate users. Once entered, they use native tools like Windows Management Instrumentation for fileless malware analysis. Cybercriminals often hide codes in the registry or create user accounts to access the system without repeating the previous steps.

How to Spot Fileless Malware?

Now that you’re fairly aware of how fileless malware works, it’s time to know how to spot it. It’ll also help to learn how to remove fileless malware in an infected system.

Since codes for fileless malware attacks are never written in disks themselves, they can’t be detected using the usual allowlisting and signature-based authentication protocols. They go unspotted by traditional antivirus software and machine-learning methods as well.

So, rely on indicators of attack instead of indicators of compromise. The indicators of attack or IOAs are signals of a fileless malware attack in progress. An IOA might not indicate an attack, but its combinations would. 

IOAs don’t focus on the steps involved in compromising a system but rather observe signs of an attack in progress. Fileless malware analysis is done by examining the relation of the malicious action with other actions and its position in the series planned by the hacker. 

IOAs can even expose and avert ill-natured activities done using a genuine user account with stolen credentials.

How to Prevent Fileless Malware?

Conscious steps taken to prevent malware attacks like malvertising and fileless malware can protect your database and brand image. Here are a few tips on how to prevent fileless malware attacks.

Managed Threat Hunting Services

Threat hunting takes a lot of time and effort as you have to gather and standardize bulk data. Since it’s a 24/7 drill, you can outsource it to agencies to monitor your systems proactively. It’ll work in addition to your traditional cybersecurity systems and ensure no malicious activity goes undetected. 

Phishing Prevention

The best thing you can do to prevent fileless malware attacks is to keep a watertight system. If you notice the following signs of phishing emails, don’t open any attachments or click on any links.

  • An unfamiliar greeting from a person who regularly sends you emails.
  • Emails creating a sense of urgency with words like ‘immediately.’
  • Unusual requests like asking for login credentials (even if they seem legitimate). 

Education and Awareness Sessions for Employees

Regular sessions educating employees about the practices to avoid fileless malware, spyware, ransomware, etc., can go a long way. Most cyberattacks succeed due to employees’ lack of awareness alone. 

Updating Browsers and Software

You shouldn’t miss or ignore ‘update’ notifications or pop-ups. Usually, the updated versions have better codes that can fight new tactics of breaking into a system. Older versions of programs and operating systems are more susceptible to malware.

Final Thoughts

Fileless malware typically injects malicious codes into a system without using any files. This is generally done using phishing and social engineering tactics You should look for indicators of attack instead of compromise to detect such incidents. 

Also, educate your employees to be careful while using the internet, especially with their email accounts. Ask them to avoid clicking any suspicious or unfamiliar links.

Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us