Fileless malware attacks, also known as non-malware attacks, allow cybercriminals to skip steps that are needed to deploy malware-based attacks, such as creating payloads with malware to drop onto users’ systems. Instead, attackers use trusted programs native to the operating system and native operating system tools like PowerShell and WMI to exploit in-memory access, as well as Web browsers and Office applications.

Fileless attacks have been around since 2014, and surged last year as attackers became enamored with in-memory attacks and sought to perfect their malicious craft. That trend continued this year, with a 6.8% growth in monthly fileless attacks targeting Carbon Black’s protected endpoints. If you think about how a traditional antivirus works, you can see why fileless malware takes this interesting path. An antivirus will check all of the files on a computer’s file system for anything that might have been infected. Of course, if the malware hasn’t left any traces on the file system itself, there’s no way the scanner can pick up on it and remove it. This is fileless malware’s greatest strength; it’s stealthier than other traditional means.

Where Does It Live?

So if the malware isn’t residing on your computer’s file system, where is it being stored? The idea behind fileless malware is that it can operate entirely within the PC’s RAM. The RAM is used to store software while it’s running, so malware can sneak into the RAM where it can do its work while skirting detection. It may get into the system using a vulnerability in existing software, such as through a browser plugin, a hole in the operating system’s defenses, or macros in programs such as Word.

Living in the RAM means that the malware goes undetected from antiviruses that check the file systems, but it also comes with a disadvantage. File system-based malware persists when the PC is shut down because hard drives remember data after the computer has been turned off. The RAM, however, gets wiped on shutdown, meaning any RAM-based malware inside of it also perishes. As such, fileless malware is designed to be stealthy and quick so it can perform its job before the PC gets turned off.

How to Protect Yourself

Avoid Untrusted Macros

Try not to install any macros that aren’t from a reputable source. There’s a chance that macros on shady sites will be programmed to take advantage of security holes in the software you’re running the macro in. Only use macros from good, trusted sources.

Keep Software Up to Date

Because fileless macros need a security hole to breach a system, it’s a good idea to keep your software updated with the latest security patches. This includes your operating system which can have native processes hijacked by fileless malware.

Use a Reliable Antivirus

A basic antivirus will only scan the file system, but more advanced ones have the ability to check the RAM for threats while scanning. If you’re worried about fileless malware, there are a few free antiviruses that can check the RAM for anything sneaking around in it.


This entry was posted by Staff Writer on Friday, April 27, 2018 at 6:14:48 AM and is filed under Computer Security & Data Protection.

Leave a Response