Fileless Malware

What Is a Fileless Malware Attack?

A fileless malware attack is a type of cyberattack that hijacks system resources to attack the host system. 

Traditional malware attacks require attackers to install malicious code on the target’s system. But fileless malware does not rely on new code. Instead, the code is reprogrammed to suit the attackers’ goal.

Fileless malware is particularly threatening due to its ability to avoid traditional file-based detection. The number of fileless malware attacks doubled in 2018 and has been steadily rising ever since. 

How Fileless Malware Works

  1. The attacker gains remote access to the target’s system by exploiting a web scripting vulnerability.
  2. The attacker obtains credentials to the environment to move quickly across the system. 
  3. The attacker then modifies the registry to create a backdoor, so they continue to return to the environment undetected. 
  4. The attacker gathers data before compressing it using built-in system utilities. 
  5. The attacker removes the data from the environment by uploading it with FTP. 


Types of Fileless Malware

Windows Registry Manipulation

Windows registry manipulation involves a malicious link that uses a standard Windows process to write and execute fileless code delivery. 

Memory Code Injection

Memory code injection involves hiding malicious code in the operating memory of legitimate apps. The malware is distributed and injected into the machine when normal system processes run. 

Script-Based Techniques

While not wholly fileless, script-based techniques still use the same strategies as fileless malware attack techniques. These are also known as semi-fileless malware attacks. 

How to Detect Fileless Malware

Fileless malware is notorious for being virtually undetectable. However, there are two primary ways security teams can protect their organizations from fileless malware attacks.

1. Look for Indicators of Attack

Indicators of Attack (IOAs) and Indicators of Compromise (IOCs) are helpful cybersecurity insights, but IOAs are more effective at detecting fileless malware attacks. IOCs focus on the steps of how an attack will potentially execute, while IOAs look for signs that an attack is currently in progress. 

These signs include code execution, lateral movements, and other actions that appear to cloak their intentions. Solutions that identify IOAs look for events that all types of malware must execute to steal data, not just code changes.

2. Employ Managed Threat Hunting

Threat hunting is time-consuming and labor-intensive, but it’s crucial to discover fileless malware attacks. This is especially true in an age where malware and other cyber threats have risen since the pandemic. It requires the aggregation and normalization of extensive data, which is why many organizations choose a provider that offers managed threat hunting services. 

Well-managed threat hunting services help users prepare for an attack by enabling security teams with effective threat hunting tools and support to reduce the impact of an attack. Managed threat hunting tools enable deep insights and forensics within weeks of implementation.

Combating fileless malware attacks requires a departure from traditional, file-based countermeasures. CylancePROTECT® uses memory defense, script and macro control, and our Context Analysis Engine (CAE) to keep your organization safe. Cylance® AI-driven threat prevention and response solutions protect you from threats, no matter how they operate.