Antivirus Wiki

Fileless Malware

Fileless malware is a serious security threat, especially for large corporations. Find out how to protect your company against this online threat.  

fileless malware

Fileless malware is a serious online security threat that, unlike other types of malware, doesn’t install on a machine. The malicious code resides only in memory that makes it hard to detect, even for an antivirus program.

Protecting a system from the fileless malware requires more than just running scans or updating your antivirus. Understanding how the malicious code infects a system is important to protect your system from the online threat.

Expert Quote

Dana edwards

“New Antivirus software uses the state of the art in signature based detection,machine learning/AI, and if available continuous monitoring or real time protection for suspicious computer activity. The real time protection can detect anomalies in behavior of a computer and can help detect unknown or stealthy forms of malware.”

Dana Edwards

Cyber-Security and Distributed Ledger Researcher

What Is Fileless Malware?

Fileless malware is a malicious code that infects a system’s memory instead of the hard drive. The code is injected into a program such as notepad.exe or javaw.exe. The infected program is then used to exploit an operating system.

The first fileless malware attack was detected in 2012. Today, cybersecurity professionals have detected malicious code in online systems of hundreds of banks, government institution, and telecommunication companies.

A typical fileless malware leaves little traces behind. The malicious code may remain hidden for years without detection.

Fileless malware typically infects system tools such as Windows Management Instrumentation (WMI) and PowerShell. The code will take control of the tools to perform malicious activities without detection.

WMI is used to perform different tasks such as installing software, gathering metrics, and generating queries for the system. The tool can access every system resource and perform functions such as deleting, moving, or copying files. These features make it a dangerous tool when infected by malicious codes.

PowerShell is the scripting language that is used to gain access to the inner core of the machine. The tool is trusted by security software due to which an infection goes undetected. When infected, the tool can be used to run scripts remotely, giving total control of the system to a cybercriminal. The script can be run through WinRM and WMI using a simple code, and it can be used to infect an entire enterprise.

Types of Fileless Malware

There are several different types of fileless malware. The infection can be categorized based on whether it will remain hidden or remove itself once a system is rebooted.

Temporary Infection

Temporary fileless malware infections act like a hitman. The code infects a system, executes a command, and then vanishes without a trace. This makes it extremely hard for cybersecurity professionals to isolate and study a sample.

Temporary fileless malware remains in a system as long it’s not rebooted. The infection spreads by email in the form of an MS Word document attachment. Once the code is executed, it collects information and sends it to a server.  

Permanent Infection

A permanent fileless malware hides in the Windows registry using a special rootkit technique. Once it infects a system, it then resides in the system and steals information or installs another malware.

Examples of Lifeless Malware

A permanent fileless malware hides in the Windows registry using a special rootkit technique. Once it infects a system, it then resides in the system and steals information or installs another malware.

1. Powerliks

Powerliks hides all the codes in the Windows Register. The malicious code resides permanently in the infected system.

The fileless malware uses stealth mechanism to evade detection. After infecting a system, it first checks whether PowerShell is installed. If the PowerShell is not installed, it can download the scripting services automatically. The code runs malicious scripts through PowerShell as part of the evasion tactic. This code hides in the registry as a Null registry value. You can’t simply delete the registry entry since it’s a null value.

Once Powerliks infects a system, it downloads a file that causes further infection.  The malware can also gather information that is used to cause further infection. The screenshot below can show you how Powerliks keeps the processing capacity of the computer occupied with malicious processes.

2. USB Thief

USB Thief is a hit-and-run fileless malware that remains undetected in a system until rebooted. The unique fileless malware infects a USB device and uses special tactics to remain undetected. The malicious code takes advantage of the trend of using portable versions of software such as NotePad++ and Firefox. It enters the command chain in the form of a dynamically linked library (DLL) or a plugin. Whenever such an infected application is executed, the software will run in the background and execute malicious codes.

The malware comprises four executables and two configuration files. It uses advanced encryption (AES128) and cryptographic elements to avoid reverse engineering. This makes it difficult for IT professionals to study the mode of attack.

Since the encryption key is computed from the device ID, USB thief can run only from a device that hosts the malware. Additionally, the file name is different in every instance the malware is run to avoid detection. Copying a malware to a new location also changes the creation time due to which its mechanism of attack cannot be studied.

While cybersecurity professionals have been able to circumvent protective measures through modifying the device ID and disk properties, it shows the level of complexity employed by the fileless malware to avoid detection.

3. Kovtar

Kovtar is another dangerous fileless malware that can prevent access to the system. The malicious code can receive command from a cybercriminal transferring sensitive information from the PC. The lifeless malware is usually used by cybercriminals as ransomware.

Once downloaded, Kovtar remains on the registry executing malicious commands. It loads into the memory when a computer infected by the malicious code starts up. The code spreads generally through an email in the form of a zip attachment.


4. PowerSniff

Powersniff malware spreads through emails with an MS Word attachment. Once it infects a system, the malicious code invokes WMI service that executes PowerShell. The code first checks whether a system has a 32 bit, or a 64-bit operating system installed. It then downloads and executes an appropriate malicious script to infect the system. This malware mainly targets financial institutions and tries to steal confidential information from the system.

5. PhaseBot

PhaseBot is a fileless rootkit that can perform harmful tasks such as ftp stealing and form grabbing without executing. The malicious code features unique evasion and stealth tactics. The code encrypts into a command and controls server using random passwords. It uses PowerShell to both evade detection and perform malicious tasks.

The fileless malware creates a registry value to execute scripts. There are different variants of malicious code that perform different tasks. This particular fileless malware boasts a variety of evasion tactics like encrypted communication, rootkit infection, and virtual machine detection.

How to Protect Your System from a Fileless Malware?

Due to their sophisticated attack tactics, online attackers are increasingly using fileless malware to attack systems.

A fileless malware doesn’t have any signature. The malicious code makes use of PowerShell to perform legitimate tasks. The code resides mainly in memory. These characteristics of the malicious code make it difficult for antivirus software to detect it.

While detecting and removing fileless malware is difficult, it’s possible to get rid of the online menace with the right prevention techniques.

Inspect Security Logs

You should regularly inspect the security logs and look for signs of an attack. If you see a large amount of suspicious network activity, the system may be infected. Another telltale sign of fileless malware infection is unusual system activity.

Disable Macros in MS Office

For maximum protection of a system against fileless malware attack, you should disable all macros. The malicious code primarily infects a system through an MS Word macro. So, disabling the feature will protect your system from an online attack. To disable macros in MS Office, you should follow these steps.

For Office 2007, this will be done in the following way:

Disable Macros in MS Office
Disable Macros in MS Office

Disable PowerShell Service

Another preventive measure to protect your system from an online attack is to disable PowerShell in the system. The fileless malware typically infects through the PowerShell. To disable PowerShell, you should enter appwiz.cpl. Next, click on “Turn Windows features on or off,” and then clear the check box for PowerShell. Note that you may need to enter an administrator password to turn this feature off.

Disable PowerShell Service

Disable PowerShell Service

In some cases, fileless malware hijacks WMI to infect a system. Disabling the service can help prevent an attack.

To disable the service, you should enter services.msc in the search box, and then locate Windows Management Instrumentation. Click on the service, and then select Stop.

Disabling macros, PowerShell and WMI can greatly reduce the risk of a fileless malware infection. However, you should note that some applications that depend on the services may fail to start. Also, you should consider installing robust antivirus software such as AV Software to protect your system.

Make sure to update the software regularly for maximum protection against the online threat.

Leave a Comment