The attack you can’t see: How fileless malware works (and why Emsisoft catches it)

The threat posed by malicious software developed and deployed by cybercriminals has been a fact of life for a long time now, and you probably have antivirus software vigilantly protecting your computers. But what is fileless malware? If there’s no file, what does it do, how can it be detected, and how can my computers be protected?

What Is Fileless Malware?

Fileless malware leverages attack techniques that operate without having its contents written to disk, thus avoiding detection by signature-based antivirus tools. It resides directly in memory often using legitimate system binaries (LOLBins), such as PowerShell and other tools packaged with Windows. For example:

• MSHTA,
• WScript/CScript,
• regsvr32, and
• rundll32.

Because these tools are native to the OS and trusted by design, attackers can blend in with normal system activity – leaving little to no evidence behind.

As with anything, there are variations, and some can achieve persistence, for example by storing encoded commands or script loaders inside the Windows Registry, WMI, or Task Scheduler. These mechanisms allow the malware to automatically re-execute an inline script or LOLBin-based loader at startup, without ever dropping a traditional executable file.

How Does Fileless Malware Get In? (Initial Access)

So how does fileless malware get a foothold in a system? Initial access, as the name implies, describes how an unauthorized person is able to get into a computer. The entry point may involve:

1. Exploiting a browser, document, or application to execute shellcode that loads the payloads directly into memory.
2. Credential stuffing, another common attack technique, involves using stolen username and password combinations, often found in a data breach, to log in to internet-facing systems such as RDP servers. Attackers take advantage of the fact that many people reuse the same credentials across multiple online services, executing fileless malware when successful.
3. Phishing is a type of social engineering where attackers impersonate a trusted source like a company or person to trick the victim into opening a malicious object. This may be an email attachment, a link in an attached Microsoft Word or Excel file, fake app or update downloads, etc.

What Happens Next: Tactics and Techniques

Once a system is successfully breached, a threat actor can proceed with their attack. However, rather than deploying malicious software, they use existing Windows resources toaccomplish their goals. These tools are trusted and likely already exist on a system.

The specific gameplan of individual cybercriminals will vary, but the tactics they employ are well understood and documented in the MITRE ATT&CK knowledge base, such as:

• Discovery, or poking around to get an understanding of user accounts, privileges, running process, networks, etc.;
• Credential access, or stealing legitimate credentials like account names and passwords to target additional systems and make them harder to detect;
• Privilege escalation, in order to attain the permissions required to accomplish their objectives;
• Lateral movement, or search for and compromise additional systems;
• Establish persistence, or a means by which to maintain access over an extended period of time;
• Establish Command & Control (C2) to remotely communicate with and manipulate the infected machines.

Why Fileless Malware Is Hard to Detect

Why take a fileless approach once they gain access to your system? Simply put: to evade detection. An undetected cybercriminal can return over several days or weeks using the same credentials, laying the groundwork to maximize their impact by learning about your systems. If malware was deployed during this time, it would be detected by an antivirus software, and files leave forensic evidence. Fileless malware minimizes these artefacts, while evidence of a fileless attack may vanish on reboot or when its process is terminated, leaving no traces. Subsequent activity by a threat actor may not be obviously malicious and thus go unnoticed.

How Emsisoft Still Detects Fileless Attacks

As mentioned earlier, the tools used while investigating and preparing a compromised system are the same tools that administrators use on a regular basis, hence the term LOLBin: Living Off the Land Binary. Detection is hampered by the fact that the steps they take are often legitimate commands of these legitimate tools. While challenging, cyber defenses have evolved to detect the use of Windows tools by malicious actors: Endpoint Detection and Response (EDR) tools can look for the tell-tale signs of unauthorized access even before malicious steps are executed. The trick is understanding the context of a specific activity in order to determine whether it should be flagged for further investigation.

Establishing a baseline over time of what comprises normal events is a first step to being able to identify and respond early in an attack cycle. Rest assured that malicious behavior is self-evident even when LOLBins are used, so if any process tries to mass delete or encrypt files, Emsisoft Behavior Blocker will intervene to stop it.

Closing Thoughts

Fileless malware is designed to avoid traditional detection, but it still leaves behavioral traces that can be identified with the right tools. By focusing on process activity as well as files, organizations can detect misuse of legitimate tools early and reduce the impact of these stealthy attacks.