What are Fileless Malware Attacks?
Fileless malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyberattack. Unlike traditional malware, fileless malware does not require an attacker to install any code on a target’s system, which makes it difficult to detect. This fileless technique of using native tools to conduct a malicious attack is sometimes referred to as “living off the land” or “LOLbins”.1 The following is the process of a fileless attack:
- Gaining access. The cyberattacker gains remote access to the target’s system in order to establish a base for the attack. This is done by remotely exploiting a vulnerability and using web scripting for remote access.
- Stealing credentials. Using the access gained in the previous step, the cyberattacker now attempts to obtain credentials for the compromised environment, allowing the cyberattacker to easily move to other systems in that environment. This is done by remotely exploiting a vulnerability and using web scripting for remote access.
- Maintaining persistence. The cyberattacker will now set up a backdoor that will permit reentry into this environment, at will. This is done by modifying the registry to create a backdoor.
- Exfiltrating data. In this stage, the cyberattack gathers the data that desired data and prepares it for exfiltration by copying it in one location and then compressing it using readily available system tools such as Compact. The cyberattacker then proceeds to remove the data from the victim’s environment by uploading it. This is done by using the file system and the built-in compression utility to gather data, then uses FTP to upload the data.
In order to carry out a fileless malware attack, cyberattackers may use the following techniques to gain access to the environment to modify its native tools:
Exploit kits. Exploits are pieces of code, sequences of commands, or collections of data, and exploit kits are collections of exploits. Exploits can be injected directly into memory without requiring anything to be written to disk. This technique often uses phishing emails or social engineering to lure victims.
Registry resident malware. Registry resident malware is malware that installs itself in the Windows registry in order to remain persistent while evading detection. Commonly, Windows systems are infected through the use of a dropper program that downloads a malicious file.
Memory-only malware. Memory-only malware resides only in memory, where it can remain undetected.
Fileless ransomware. Ransomware attackers can use fileless techniques to embed malicious code in documents through the use of native scripting languages such as macros, or to write the malicious code directly into memory through the use of an exploit.
Stolen credentials. Cyberattackers use stolen credentials to access their target and use their native tools to conduct their attack.
1 Baker, 2023, “Fileless Malware Explained”