The Windows Club

TheWindowsClub covers authentic Windows 11, Windows 10 tips, tutorials, how-to's, features, freeware. Created by Anand Khanse, MVP.

Fileless Malware Attacks, Protection and Detection

Download Windows Speedup Tool to fix errors and make PC run faster

Fileless Malware may be a new term for most but the security industry has known it for years. A few years back over 140 enterprises worldwide were hit with this Fileless Malware – including banks, telecoms, and government organizations. Fileless Malware, as the name explains, is a kind of malware that doesn’t touch the disk or use any files. It gets loaded in the context of a legitimate process. However, some security firms claim the fileless attack leaves a small binary in the compromising host to initiate the malware attack. Such attacks have seen a significant rise in the last few years, and they are riskier than traditional malware attacks.

fileless malware

Fileless Malware attacks

Fileless Malware attacks also known as Non-Malware attacks. They use a typical set of techniques to get into your systems without using any detectable malware file. In the past few years, the attackers have become smarter and have developed many different ways to launch the attack.

Fileless malware infects computers, leaving no file on the local hard drive, sidestepping traditional security and forensics tools.

What’s unique about this attack, is the usage of a piece sophisticated malicious software, that managed to reside purely in the memory of a compromised machine, without leaving a trace on the machine’s file system. Fileless malware allows attackers to evade detection from most end-point security solutions which are based on static files analysis (Anti-Viruses). The latest advancement in Fileless malware shows the developers focus shifted from disguising the network operations to avoiding detection during the execution of lateral movement inside the victim’s infrastructure, says Microsoft.

The fileless malware resides in the Random Access Memory of your computer system, and no antivirus program inspects the memory directly – so it is the safest mode for the attackers to intrude in your PC and steal all your data. Even the best antivirus programs sometimes miss the malware running in the memory.

Some of the recent Fileless Malware infections that have infected computer systems worldwide are – Kovter, USB Thief, PowerSniff, Poweliks, PhaseBot, Duqu2, etc.

How does Fileless Malware work

The fileless malware when it lands into the Memory can deploy your native and system administrative Windows built-in tools like PowerShell, SC.exe, and netsh.exe to run the malicious code and get the admin access to your system, so as to carry out the commands and steal your data. Fileless Malware sometime may also hide in Rootkits or the Registry of the Windows operating system.

Once in, the attackers use the Windows Thumbnail cache to hide the malware mechanism. However, the malware still needs a static binary to enter the host PC, and email is the most common medium used for the same. When the user clicks on the malicious attachment, it writes an encrypted payload file in the Windows Registry.

Fileless Malware is also known to use tools like Mimikatz and Metaspoilt to inject the code into your PC’s memory and read the data stored there. These tools help the attackers to intrude deeper into your PC and steal all your data.

Behavioral analytics and Fileless malware

Since most regular antivirus programs use signatures to identify a malware file, fileless malware is hard to detect. Thus, security firms use behavioral analytics to detect malware. This new security solution is designed to tackle previous attacks and the behavior of users and computers. Any abnormal behavior that points to malicious content is then notified with alerts.

When no endpoint solution can detect fileless malware, behavioral analytics detects any anomalous behavior, such as suspicious login activity, unusual working hours, or use of any atypical resource. This security solution captures event data during sessions where users use any application, browse a website, play games, interact on social media, etc.

Fileless malware will only become smarter and more common. Regular signature-based techniques and tools will have a harder time to discover this complex, stealth-oriented type of malware says Microsoft.

How to protect against & detect Fileless Malware

Follow the basic precautions to secure your Windows computer:

  • Apply all the latest Windows Updates – especially the security updates to your operating system.
  • Make sure that all your installed software is patched and updated to their latest versions
  • Use a good security product that can efficiently scan your computer’s memory and also block malicious web pages that may be hosting Exploits. It should offer Behavior monitoring, Memory scanning, and Boot Sector protection.
  • Be careful before downloading any email attachments. This is to avoid downloading the payload.
  • Use a strong Firewall that lets you effectively control Network traffic.

Read next: What are Living Off The Land attacks?

AnandK@TWC

Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP (2006-16) & a Windows Insider MVP (2016-2022). Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.